Slashdot Mirror
Future Trends of Malware
An anonymous reader writes "What are the driving forces behind the rise of malware? Who's behind it, and what tactics do they use? How are vendors responding, and what should organizations, researchers, and end users keep in mind for the upcoming future? All these questions and more are answered in the well written (MHO) Future Trends of Malware"
money.
Fry: heh, Yakov Smirnoff said it
Leela: No he didn't.
It seems like parents everywhere trust their AntiVirus to stop everything. When they get spyware, and you tell em you got to remove it, they'll retort,"Oh, just run Mcaffee". The funny part that we all know here is that there are too much malware out there for one Antivirus software to stop and they keep coming. To me, Antivirus software seems a lot like SnakeWater.
God spoke to me.
I'm sure it's a great paper. But when it's presented as black and sky blue text on a purple background, reading it is almost like having my eyes infected with malware.
Opinions on the Twiddler2 hand-held keyboard?
We have a winner!
My karma is in a nose dive
Key summary points
--------------
Malware authors update their multi-vendor anti virus signatures faster than most end users and enterprises do altogether
The high pressure put on malware authors by the experienced vendors is causing them to unite efforts and assets, and realize that it's hard to compete on their own. Yet this doesn't stop them from waging a war in between
Intellectual property theft worms have to potential to dominate in today's knowledge-driven society acting as tools for espionage
Don't matter what you always wanted to do to ecriminals, in case of a cryptoviral extortion, you'll be the one having to initiate the contact
The growing Internet population, E-commerce flow, and the demand for illegal/unethical services, would fuel the development of an Ecosystem, for anything, but legal
The "Web as a platform" is a powerful medium for malware attackers understanding the new Web
The unprecedented growth of E-commerce would always remain the main incentive for illegal activities
7.0 Conclusion
--------------
I hope that the points I have raised in this research, would prove valuable to both end users, businesses and anti-virus vendors. The Internet as a growing force shaping our ways of thinking and living is as useful, as easy to exploit as well. The clear growth in E-commerce, today's open-source nature of malware, the growing penetration of the Internet in respect to insecure connected PCs, are among the main driving factors of the scene. Do your homework and stay ahead of the threats, most of all, less branding when making security decisions, but high preferences! Please, feel free to direct your opinions, remarks, or any feedback to me, at dancho.danchev AT hush.com or at ddanchev.blogspot.com where you can directly comment on my publication. Nothing is impossible, the impossible just takes a little while!
Greed. Free products like Daemon Tools, when the author suddenly decides that free doesn't pay the bills, and includes spyware. Daemon Tools is a great product, but I refuse to ever use it again. I don't care if the setup lets you uncheck the option to install the spyware; it shouldn't be there in the first place.
Titus Barik
Would it be possible, if for instance, an ISP sees a shit load of traffic from a customer's address directed at another address to start blocking that traffic? Or at the very least notifying the customer that there may something wrong. I bet just about everyone whose computer has these bots are comletely unaware. They might even bitch about how slow their connection is.
I'm already thinking of the ethical and privacy issues involved with doing that, but it would stop some of the DOS extortion.
From TFA, re: effects of Sasser worm... "British Airways, 20 flights delayed by 10 minutes".
In the UK, flights being delayed by only 10 minutes is a cause for celebration. By this metric, French Air Traffic Control on a public-holiday-strike is more damaging to world commerce than a piddly little computer worm!
... you know, my Uncle Jim used to say that a lot of problems in the world could be solved with a .22 to the back of the head...
... elipses...
I counted 45! exclamation points in that article!
Now after reading it, I have become so depressed that I have decided not to connect my computer to the internet ever again!!!
He who knows best knows how little he knows. - Thomas Jefferson
...they forgot VoIP. Amazing oversight really. How long before someone hacks Skype and manages to insert malware code into the VoIP data stream? You place a call to someone and somewhere along the way extra data is inserted and finds its way onto your machine. I'm not that knowledgeable about VoIP's inner workings, but it seems to me that anything that allows data to be moved back and forth from your computer unfettered is a doorway for malware to be lodged on your machine.
GetOuttaMySpace - The Anti-Social Network
In my opinion, and the article concludes with almost the same point, the 'future trends of malware' will be determined in response to the future trends in software, such as the focus on cracking down on browser phishing, the rise in popularity of open source and the totally net integrated space age home the world has always been promised, but just hasnt happened yet.
Conclusion: more of the same but general software reacts to malware much more slowly than the counter reaction.
Horribly written, lots of (mostly) un-referenced statistics without any analysis. Rambles on without any real point. Anything groundbreaking here?
If they find out, they'll send you to bed with no supper or TV. They'll take away your iPod, Gameboy, XBox, and all of your toys until you start being good!
Now, go away or I'm telling your Mom!
Malware meets so many of the deep desires of the marketing world (and the corporate world in general). It can provides market data in bulk, practically "for free" (from the company's perspective). It can provide a further degree of control over a user's computer. It can enforce DRM. It can force ads on people.
Thus, I can only conclude that the future of malware is for it to go from something created by shady companies like Gator (a.k.a. "Claria") and 419WebSolutions (or whatever) to something created (or at least branded) by "household name" companies like HP, Dell, etc. A first step towards a future in which major corporations embrace malware has already occurred; just look at all the crap Dell shovels onto their much-maligned default software installations.
With spending like this, exactly what are "conservatives" conserving?
From the article:
modular - new features are easily added to further improve its impact, want it to have P2P propagation capability, add it, want it to disseminate over IM, done.
Okay, malware can be modular - makes sense.
The lack of P2P worms is, I think, a logical consequence of the RIAA's busts around the U.S, and the global response towards P2P networks copyright infringement.
How did the author manage to come to that "logical" conclusion? How is the presence (or !presence) of malware related to the "global response... copyright infringement"?
Given today's P2P concepts, and the disruptive BitTorrent technology, it is not longer required to on purposely slow down transfers to hide the activity on a user's host.
And where the heck is he going with this??
Submitter, if this is your idea of "well written", I respectfully suggest you broaden your literary scope.
I want to drag this out as long as possible. Bring me my protractor.
It wouldn't solve everything, but it would help limit further the damage malware could do. It could access (and corrupt) the data for the particular application it suborned, but without exploiting secondary holes it couldn't do more. This would prevent, say, a hole in Firefox from allowing malware to get at your Gnucash data. It also doesn't require much any new permission-checking code, the kernel already does file-access checks anyway.
PHEM - party like it's 1997-2003!
I'm sure there's several forces at work driving malware. First is money. Unfortunately security is a joke to Microsoft and a large portion of the folks who use their products. As such these companies are constantly finding new methods and ways to infect your system with their crap. There has to be a decent amount of idiots buying their products for them to be continually pumping out new malware. A second force is likely just ego. There's likely a bit of upmanship between peers constantly trying to outdo the other by finding new backdoors.
If big boobed women work at Hooters do one legged women work at IHOP?
Malicious software can make money now, that which makes money attracts sellers.
It's that simple, whereas in the past malware was mostly out of a quest for fame or percieved revenge, the malware of today is business malware, the nasty programs of old all dressed up in suit and tie and making someone filthy rich.
This problem is exacerbated by the fact that nearly everyone runs Windows XP these days and Microsoft wasn't very attentive to security when they designed it. The sheer number of critical vulnerabilities that the operating system has is mind boggling. Recently, it was stated by some firm or another that Linux had released more patches than any other OS this year. Now, aside from the obvious problem with that statement (the patches weren't patches for Linux itself but for software in common Linux distributions, which is vastly greater in number than that of a Windows installation) if you look at the things patched, they aren't terribly dangerous. They are things like "potentially vulnerable to DNS attack" or "Local user can gain partial root privileges" and such, they are not like "Someone on the other side of a planet can send you a magic packet that makes your computer their bitch permanently," which is what the vast majority of Windows vulnerabilities allow.
In short, malware has grown because malware is like any pathogen, it lies in wait until conditions are optimal for its growth and when they are it takes over quite rapidly. Remove one of its primary growth factors, and you'll slow it down. Remove more, and you'll potentially kill it.
Our greatest enemy is neither a single man, nor is it a nation, it is, as it has always been, our own greed.
support Open source:
? form_cat=43
Winpooch Watchdog
http://sourceforge.net/projects/winpooch/
ClamAV port to windows (scanner only, no heuristics)
http://www.clamwin.com
OpenAntivirus :
http://openantivirus.sourceforge.net/projects.php
security projects:
http://sourceforge.net/softwaremap/trove_list.php
P2P Anonymous Distributed Web Search: http://www.yacy.net/
My God, the grammatical errors in that paper are painful. Is a paper displaying such an appalling lack of quality really worthy of the attention of hundreds of thousands of SlashDot geeks?
With spending like this, exactly what are "conservatives" conserving?
Its really easy to fix: don't use winders
Hi there
From my point of view, a security specialist, is that only 20-30% of the attacks on businesses and corporations are done electronicly from the outside, the rest (70-80%) are inside, mostly disgrunted employees. With the current trend of money/public focused companies treating employees like crap, all it would take is a vicious malware application to take them down.
Malware is also becoming intelligently designed, no longer the 'see-this-famous-tennis-star-naked so-I-can-use-built-in-vbs-code to-email-everyone-in-your-addressbook' stupid-is-as-stupid-does tricks. They're pointed, direct, and very very scary.
Here's to paying and treating your geek employee well!
Management is doing things right; leadership is doing the right things. - Peter F. Drucker
Could the person who called this article "well-written" be so kind as to tell me what this means? The article is filled with crap like this; I'd give it a C-, at best, as a freshman paper.
I found the article hard to follow because of its unclear English and unhelpful lack of punctuation. Perhaps it is a transcribed presentation. I'm not convinced that the person writing it is a helpful security consultant, because, in the article, he fails to point out that something encrypted by a private key (and we're to assume the author means public/private key paired encryption) is easily recovered with the private key:
A cryptoviral attack basically takes data as a hostage, encrypted with the author's public key, naturally wiping out the unencrypted data, and demanding a ransom for it.
Aside: I now have a great excuse for being pulled in by intelligence agencies: a virus encrypted my files and I haven't yet restored them (because I can do this sort of unencryption painlessly later).
Note that some of these goals target individuals and their PCs whereas other target larger organizations. One key commonality of nearly all of the goals is that they target large numbers of PCs or require large numbers of infected machines to achieve the goal. Thus immunological approaches that look for the spread of unusual code or data packet patterns can help address this problem. On the other hand, immunological approaches won't work if the malware attack targets a single individual or company -- e.g. implanting a unique virus in one computer in a company for purposes of espionage or extortion.
Note that half of the goals are very different from the stereotypical destructive virus or worm of yesteryear. With the exception of vandalism, extortion, vigilantism, and military, the other goals are essentially non-destructive. The malware creator's goals are not achieved if the malware crashes the target machine.
Two wrongs don't make a right, but three lefts do.
I think the ultimate future of malware will encompass biometric and RFID. Rather than key loggers, we will see biometric image capture (e.g. a scan/image capture of the user's thumbprint). Or capturing RFID patterns.
I still say purveyors and criminal users of malware should be subject to life prison sentences if not death.
Ignorance is curable, stupid is forever.
Anti Virus companies will always be slower than malware writers. The whole signature-based antivirus approach is fundamentally flawed. The solution? Either by using heuristics (could get pretty difficult), or don't allow the malware to get onto your machine in the first place. That shouldn't be too difficult, if you think about it.
With a multiuser system that actually enforces permissions, it's your fault if you click on that attachment. And the only thing that happens is you lose your home dir. I agree that using your personal data this way is much worse than losing system data, but it is also much more educating. If it happens to you once, you'll remember when you get the next suspiciously looking email. On the other hand, if your system slowly goes down due to the number of malware you have installed, you curse the vendor (M$), but you don't realise it's your own fault.
Thanks for that tip! I found the page's font too tiny for my baby-boomer eyes. Just increased the text size, and the squinting wasn't necessary.
"Let us raise a standard to which the wise and honest can repair" - George Washington
They will be ported to Vista.
So far, malware has been treated as an IT/commercial problem (which is what this article does), but it has become so pervasive and costly that it is also now a political problem. The barely fettered growth of malware - its sheer scale, organization and the amounts of money involved - raises a lot of questions about privacy, international cooperation and what to do about the internet itself. I don't think it's something that the IT industry can tackle on its own. You can have as much protection as you like, but so long as malware outfits can slip through 1001 transnational loopholes and exploit safe-haven jurisdictions there will always be a serious problem.
.ru or .ro can apparently do what they like, and some notorious spammers and phishers remain on Top 50 lists for years without anyone so much as slapping their wrist. In previous centuries, the whole thing was called "piracy" and states tackled it with, erm, "extreme prejudice". Sometimes, I feel they may have been on to something.
I don't pretend to know the answers, but waving a copy of Norton Internet Security at the bad boys isn't it, for sure. Perhaps there is an element of deliberate wimping out going on here. The IT industry doesn't want to admit it cannot solve things alone, because it doesn't want politicians and regulators muscling in. And politicians like to pretend that malware is purely an IT problem because they don't want the headache of involvement in sorting out the mess.
As one result, perhaps, domains ending in letters like
Las qué passoun
tournoun pas maï
What is "offtopic" about a comment on the possible future of malware including biometrics and RFID in an article about the future of malware?
Mods not on crack, but Drano.
I have never seen 1.1962222086548019456196316149566e+56 exclamation points! That must be a new record! Quick! Somebody contact Guinness!
money
Look, money is a perfectly fine motivation for script kiddies and Nigerian scam artists and ex-KGB Russian/Ukrainian mafiosi.
But there's an outfit sitting behind a router in the PRC that has a different motivation; something along the lines of "Geopolitical World Dominance":
It's kinda like the board game "Risk", only this is the real McCoy.As long as M$ continues to sell shit, malware will continue to plague the general population. Ya'll go ahead & make sure your copy of Symantec is all up to date... hope you feel safe. In the meantime those of us who have half-a-brain will use an OS that isn't dependent on outside factors to work *properly (*this is assuming some people think M$ actually works properly to begin with).
Malware can be categorized by the goal of the creator.
You forgot the most obvious goal
9. Because they can
Anyone quoted by a reporter knows how little they understand
Don't believe what you read is the truth.
There is only ONE way to ensure a world which is TOTALLY free of Malware. That is to enshrine into the Law of the Land, the principle that the administrator of a computer, being King and God of all that happens to that computer, has the right -- personally or vicariously -- to view the source code of ANY application running on that computer. {From there,'tis but a short step indeed towards enshrining in law the rights of users of software to ENJOY, STUDY, SHARE and ADAPT that software; but we'll not jump the gun just now.}
If vendors don't want to release the source code for their applications, then probably nine hundred and ninety-nine thousand, nine hundred and ninety-nine times out of a million, it's precisely because there is something in there that would make you decide not to use that software if you knew about it.
Why is that the case? When I buy food, it tells me not only the ingredients, but also the amount of carbohydrates, fats and proteins in every 100 grammes. Food manufacturers are not exempt from the requirement to disclose what is in their products, why the hell should software manufacturers be?
Even in the Open Source community, users outnumber developers. So something that sounds bad for developers {they won't necessarily get paid just for cranking out a shitty little closed source program, boo hoo} but is good for users should be supported.
{You might get away with replacing general-purpose computers with computationally-incomplete appliances, but that would be a backward step.}
Je fume. Tu fumes. Nous fûmes!
Somebody wants to hurt members of the MPAA/RIAA. While I have no doubt their cries and moans of loss are exponentially exxagerated, one would presume P2P has been a decent way to attack those bastards. You know, the whole "enemy of my enemy is my friend" dynamic. When the MPAA/RIAA are bankrupt, I would not be surprised to see P2P malware become more prevalent.
I would not be at all surprised if this was the case.
This is how the loudness war is killing music.
Took a freshly installed WindowsXP machine, service pack nothing. Started up IExplore and set out to infect myself.
.. on it was my IP address (of my outside net), my ISP (RR is all it said), and it mentioned that I was infected with spyware and would be investigated. It mentioned I should immediately run an anti-spyware check on my PC.
I'll tell you what, there's a site I hit, that the second I got there, the computer seemed to lock up (the VMWare session went to 99%) for about 20 seconds. Then it came back to reality, the browser closed, the MS Picture viewer rendered a file called 892f98lkf43.WMF and then it closed. All of a sudden, I had about 10 toolbars, SpySheriff, my desktop changed to a "YOUR COMPUTER IS INFECTED WITH SPYWARE" black screen with white writing. SpySheriff made the system keep saying (from the task bar) "Windows has detected a spyware infection". That's deceptive, as it seems like Windows found it, but I digress.
I tried to change the wallpaper, but it was disabled. When I brought IE back up, it went to c:\secure32.html
I browsed back to the web, and was assaulted by porn. Not just big tits, washed up adult models, but stuff that would probably pique the interest of law enforcement (lolitas, etc). Some of it said "all models 18" but those didn't LOOK 18 enough for me.
All brought to my VMWare machine by some website that auto-downloaded a BUNCH of stuff on my computer.
For the final test, I downloaded StopZilla, which asked for a reboot. After I rebooted, all of the exploits on my machine were GONE. Fixed. Or, at least, quarantined.
Delted / wiped the vmx file.
whew!
= Grow a brain...
...Is his comment that they are going to target all peer 2 peer with this crap .
I know virii were out there before, but this seems a tad more insidious .
The disabling and bypassing of all know anti-virus software is their goal as well .
Virii often were for just the point of overloading a network or taking a PC down .
These don't want your PC down they want total remote control of it and want to
keylog your credit cards, and your passwords and want to financially rape you .
I have had several clients of late that have had remote access type spyware,
and had keyloggers paired in with it, and their anti-virus and spybot unable to update .
It is getting pretty bad compared to just a cpl of years ago .
I think the paper is relevant if self appreciative of the submitter .
Ex-MislTech
google "32 trillion offshore needs IRS attention"
That's what they call future trends? If that's right we're pretty safe then.
What would be interesting would be malware written in popular high level scripting or bytecode languages - e.g. perl, python, lisp. These do and will run on windows - with broadband becoming widespread it doesn't take long to download and run the relevant packed perl/python/lisp executable, and such executables do have legitimate uses anyway.
You can very easily write games/utils in such languages to help them spread as trojans.
It'll be interesting to see how the AV people will cope with these.
An attacker should be able to rapidly generate multiple versions of the malware faster than the AV people can generate signatures.
The malware can search for updates and download them with the help of search engines like google (google groups) and various blog/discussion sites. They might even be able to communicate with each other via spam email.
I'm not even sure if the code signing stuff will help.
After all the initial code could be innocuous with perhaps one or two really terrible "bugs". But subsequent code could be totally different. Because with such languages once the first bit is in, fetching and executing new code isn't as hard as downloading a new executable binary (which may require passing checks by the O/S and AV software), it's just downloading/finding the correctly identified/tagged string and running the equivalent of "eval" on it. Heck, one could just blindly run a string and catch the resulting exceptions if it's not proper code.
I'm not a malware author, but I think most malware is rather primitive (esp those on windows[1]). I'm wondering how advanced the malware detection and prevention stuff really is.
[1] I guess they don't need to be very sophisticated when the users actually do stuff like help enter the right passwords to unzip the malware and then voluntarily run the payload! Even better those users usually run as admin.
I don't live by the latest trends... I choose linux! :-)
The right answer for security purposes is to run the renderer component of a browser in a kind of jail, with each page (or at least each site) rendered in its own jail. An instance of the renderer should be launched with a connection to a window, a connection to the net, and a connection to a cache subdirectory for the site being rendered. With the instance in a jail, unable to open files, damage is limited. The rendererer can be corrupted, but when the page is closed, the problem is gone.
Of course, this breaks tabbed browsing; can't have two sites in one window. Secure cut and paste requires a "guard", a firewall for the clipboard. Program invocation from the browser might be allowed, but confined to the same jail, such programs can't do much. Downloads all have to go into quarantine.
That's what it takes to achieve browser security that works. This has been known since the 1980s. A very few DoD systems work this way. Users hate it.
The necessary compartmentalization needs machinery like that in SELinux. Users and groups just aren't enough.
Would you give up tabbed browsing and browser toolbars to get security? Ask your users that.
That's the problem.
...Perhaps by Slashdot standards.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
Has anybody looked into the idea that companies (such as pharmaceutical marketers) are paying Microsoft to not fix vulnerabilities? This is something that I've wondered about often, but never read anything about. A "Halloween Document" on this would be very interesting...
A lot of users have asked me over the years if Microsoft is paid by antivirus companies not to fix vulnerabilities. This is apparently an easy leap of logic for the most untechnical folks. We know that pharmaceutical marketers are using bots to crawl and reap email addresses, as the Perl developer that tried to blow the whistle on them last year had his computers confiscated by the cops, who were sent by his employer to ensure a cover-up (stop their ex-employee from publishing company secrets using some kind of Industrial Espionage legislation). Sigh.
Ok so it's a general concensus that money is at least one of the main forces behind malware, so why don't we hit them where it hurts. Anytime a company is found to have used these practices they are "blacklisted." Basically boycott any company that is known to use this practice and make them aware that we will no longer purchase products or services from them until they cease and desist. You would be surprised at the effect that boycott's have had on big business. Doubt me? Google it.
It seems to me that a signature-based antivirus system (that needs to be updated continuously via subscription) is a more steady and lucrative form of business model than a final solution to all computer security.
If fingerprints ever start being widely used, muggers will just hit you over the head and cut off your fingers. They can check to see if you have a bank account later. If you think that there are not plenty of people that would cut your fingers off for the chance of a couple of hundred dollars, you are sadly mistaken, and a danger to the rest of society.
Who's behind it, and what tactics do they use?
Anti-virus vendors and Microsoft(?); FUD.
Thank you for Alt-V-Y-N (View - Page Style - No Style)!! You have made my day and justified many hours squandered on /.
Slashdot entertains. Windows pays the mortgage.
... but I play one occasionally in my spare time (Computer Science degree = computer tech to most people around here).
One of my neighbors ran into the dual headed buzzsaws called SpyAxe and Spywarestrike. Both of these programs are supposedly anti-spyware programs, when in reality, they're hijackers that hold your computer for ransom. Both programs place a flashing error message in your system tray warning you that your computer is infected with spyware and that you need to purchase the full version of their product to get rid of them. These messages fill up a quarter of the screen and constantly pop up. If you uninstall the software, they reinstall themselves on the next reboot. To get rid of SpyAxe, I had to run a custom program in safe mode. For SpywareStrike, I ran across a forum message on Sysinternals that said all I had to do was delete a dll file from the System32 directory.
It would have cost them less to purchase the software than it cost me to fix their machines, but I think they gained a lot of valuable insight when I explained to them what vulnerabilities their computer had and how they could avoid problems in the future. They had no firewall, were using IE, hadn't updated Windows in forever, and were running Norton with an out of date virus definition file.
Luckily, they also follow directions.
It all boils down to whether it's a Malware author or Microsoft who can first make a legitimate claim to: "ALL your PC are belong to us".
(Presuming that there are actually differences between those two entities.)
I read the entire article. I really appreciate the author taking the time and trouble to share his knowledge with us, so I won't mention that his writing style was almost incoherent and left me dizzy.
The more I read and learn about the magnitude of the problem, the more paranoid I become these days. Just the thought of hundreds of thousands of computers under the control of criminals or foreign governments is frightening. The idea expressed by the author that a certain sector of industry could be specifically targeted to harvest all their knowledge is very worrisome. Imagine the benefits to be had by some unscrupulous foreign power to dominate segments of the world's economy with such ill-gained knowledge.
The fact the many billions of dollars are being made by these criminals is also disturbing. The flow of revenue to the underworld gives power to the criminals - power to bribe and corrupt and spread their evil and grow like a cancer. I think its time for a more organized approach to counteract the threats discussed, both present and potential.
My first thought is this - a problem of this magnitude simply wouldn't exist if it weren't for the Windows operating system. Now perhaps that's unfair to say, because a million other benefits of having a common platform would also not exist if it weren't for Windows as well. Simply, the software industry as we know it just wouldn't exist without a common platform. The fact that one has a ready market on 90% of the world's computer for their software products is an incredible incentive for the growth of the industry.
We allowed Microsoft to dominate the desktop because we all benefited from platform standardization, and now we have seen what this monoculture has brought us. We allowed Microsoft to become one of the richest companies in the world because it was convenient for us, and now we are in a seriously vulnerable position because of that. Now its time for Microsoft to take full responsibility for the legacy they have given us - the good, the bad, and the ugly.
Microsoft is not a person, and this is not a personal attack on Bill Gates, who is doing some wonderful things with the many billions that we permitted him to earn. Microsoft is a multinational entity - a machine that we have allowed to run out of control - a technological Frankenstein.
There must be an immediate end to the Monoculture. I suggest that legislation be immediately enacted requiring Microsoft to stop all development on all new products and focus all their efforts and resources on fixing all the software out there that they created (at least until their revenue streams dry up, that is). Otherwise, they will just go on extending the Monoculture - into our living rooms, onto our telephones, into our refrigerators, until we become so hopelessly vulnerable that one day some virus is going to come along and make the whole world crash and burn.
The second thing we need to do is form an army to combat the criminals. Use their own techniques against them. Send viruses out into the world to clean these infected machines. Do Dos attacks on phishing sites. Require ISPs to run AI software that detects unusual patterns of internet use by their customers. Say a customer is know to typically log on everyday for half an hour - probably just checks his email before supper, and suddenly his machine is uploading data 24 hours a day - it's a dead giveaway that something may be wrong. The ISP has to take responsibility to contact such a customer to see if perhaps he has a problem - an infection. Take this exact same strategy to the next level, to the big carriers. Force them as well to monitor patterns of use and proactively investigate potential problems instead of simply rejoicing in the increased revenues.
Since this comment is already far to long, I leave this part undeveloped, but you get the idea. Its time to take back the internet.
The technology is evolving so that in addition to simply checking that the bumps on your palm print or retinal scan match what's on file, but also that there's a pulse and/or positive blood pressure. The bad guys simply whacking off your arm or taking an eye-ball ala Demolition Man http://www.imdb.com/title/tt0106697/ won't work.
For sale: Signature. One owner. Low miles. Always garaged. New punctuation, just installed!