The NYT on the Proliferation of Botnets

ThinkComp writes "The New York Times has a up a story on the proliferation of botnets. The article cites a number of security researchers who paint a depressing picture of the state of internet security, and concludes with the suggestion that for home users, buying a new 'updated' PC may be the only real solution. Unfortunately, as most of us know, given the number of outstanding flaws in software and the ingenuity of malicious software authors, that might not even help."

Well, that's sorta backwards

[davecb]

An older Windows release, reasonably patched,
running under Linux (win4lin) and behind a paranoid
firewall is safer than XP or Vista.

Alas, not as safe as an unpached RH9, mind you,
but still safer than Vista (;-))

--dave

Re:Well, that's sorta backwards

[nmb3000]

is safer than XP or Vista.
but still safer than Vista (;-))

You say this with what evidence?

Vista hasn't even been released to the public yet and the only versions people have seen are unfinished betas and a very few corporate users who have started playing with the new RTM Enterprise. You know you're on Slashdot when a product that isn't even out yet has already been relegated to the insecure/unsafe/junk software category.

However, I see you have that little winky smiley thing at the end of your post. Does that mean you're just kidding and it's all a joke? Or are you serious, but going under the guise of joking so if somebody calls you out on your statement you can just say "whoosh!"? Emoticons are stupid--better for people to say what they mean and stick with that.

Make Microsoft liable

[wytcld]

When a corporation creates a product that is unsafe not just to its user, but to many thousands of others, and provides instructions for that product which, even if faithfully and fully followed by its user, are insufficient to prevent it from causing damage and suffering to thousands of others, that corporation should be liable for the damage and suffering.

If you sell me a chain saw, and I ignore the instructions and cut off my hand, it's my own damn fault. If I ignore morality and criminality and cut off my spouse's head, it's still my own damn fault. But if the chainsaw goes off on its own power, while I'm sleeping, and slices and dices the whole damn town, it's your fault for selling me such a product, especially if you manufactured it with the knowledge that it could, in certain not-uncommon circumstances, do exactly that.

Re:Make Microsoft liable

[petrus4]

And what if it's a GPL'd chainsaw that you made in college, put on the internet for people to copy and use if they want, but never took the time to test thoroughly?

Ever been part of the warez scene on IRC?

I'm assuming you haven't, so I'll explain. That system is entirely trust based, and self-regulating. If a file ever comes from anyone which has a virus or anything else suspect included, the source of the file immediately gets ostracised, at least as a source, and most likely in terms of download access as well, since the system is based on reciprocal trade. Wrong, I hear you say...what about cracks coming from warez *web* sites or p2p nets which have malware? Said malware would likely be put into the archives by the webmasters of those sites themselves...the upstream cracking groups would NOT be doing it, because there are a lot of people in the warez food chain who are not going to want to receive/propogate known malicious files. ANY group which includes files for compromising a system with a release has just destroyed its' ability to subsequently release files that people will trust at any point in the future. Ditto for eMule files that have nasties in them...they get intercepted/recreated downstream. That is part of the entire reason why nets like eMule use the sorts of file hashing systems that they do; if you know the hash of a particular group's release, you can download said release and get entirely clean warez.

Ditto with any moron who was going to be dumb enough to try and write GPL licensed malware...they'd gain a horrible reputation very, very quickly. The other thing is, anyone who is sufficiently interested in doing the wrong thing as to be writing malware in the first place is not going to care about licensing it unless they are exceptionally stupid...which malware authors generally aren't. Sociopathic and deserving of being used as live shark bait, yes. Stupid, no.

Accidental bugs which lead to buffer overflows and such are different. They are unavoidable, and people know that...despite the best of developer intentions, occasionally they happen. As such, although the author of said bug will not risk ostracision for authoring it, in most cases (at least if the program in question has more than half a dozen or so users) it gets patched very quickly.

Re:Make Microsoft liable

[c6gunner]

"Insightful"? Dammit. Slashdot REALLY needs a better moderation system.

This psychotic-chainsaw-with-artificial-intelligence analogy is one of the dumbest things I've ever heard. Maybe the author of that post is really so ignorant about computers that he believes them capable of free-thought and action. If he is, I feel sorry for him. The people who modded him up, though, should know better. Computers require programming or user input, or both. Either way, they only do what SOMEONE ELSE has told them to do. So if you REALLY wanted a chainsaw analogy, this is more akin to someone breaking into your house, stealing your chainsaw, and then using it to slaughter half the town. After which you, naturally, wake up, curse the makers of the chainsaw, and try to convince everyone that this never would have happened if only the chainsaw had come with better security.

Seriously, the ignorance in this place never fails to amaze me....

Buying a new computer won't help you

[Junior+J.+Junior+III]

unless you know how to secure it and maintain it.

The people offering this "advice" have got to be idiots. True, it might cost more to pay someone else to de-own your PC and train you on how to avoid problems in the future than the cost of replacing the hardware. That doesn't mean that educating yourself isn't the right answer though. What does buying a new machine do to make you more secure? Buy a $400 brand spankin' new bottom of the line Dell, throw it up on the net, and get owned in under 20 minutes. Does anyone make the $1200/hr it would take to keep a steady supply of new bottom of the line bot-to-be PC's flowing into the households of idiot users who can't be bothered with learning fundamental literacy?

Being proficient with a computer is not optional if you want to own and use a computer. Learn about TCP/IP. Learn about NAT. Learn about not trusting everything. Learn about understanding how things work at least a little bit before you try to run. You don't need to be a security guru, but you can't get by thinking you can just use a computer and never have to learn anything more about it than that. Casual users on the internet are presently walking through the worst parts of town with $100 bills sticking out of their pockets, and until they can figure out that this isn't smart and why and what to do better, they're going to continue to get themselves in trouble and drag down the community by feeding the predators that eat away at it.

Re:Buying a new computer won't help you

Buying a new computer won't help you unless you know how to secure it and maintain it.

I'm guessing the poster thought that was the advice based on the closing anecdote. In it someone ran into trouble because their current PC was a botnet client. They weren't running the security software provided by their ISP because it overwhelmed their PC, and were buying a new one that was powerful enough to run all of the anti-virus/firewall/etc. protection they need.

You don't need to be a security guru, but you can't get by thinking you can just use a computer and never have to learn anything more about it than that.

You ever see the show To Catch a Thief? A household locks all the doors and then lets a reformed burgler with a videocam attempt to break in. They show them the videotape, help them install required security, and then try and break in again at a random time to see if the family learned anything. The first time is always pitifully easy, and most of the time the burgler's able to make it in the 2nd time as well.

Now, if most people can't secure their home where all most of them have to learn is to close & lock the door when they leave, what chance to we have a mass education campaign about TCP/IP or NAT or anything else related to computer security will work?

Computer security is broken, and I don't think anyone has a workable solution. Why can trying a new screensaver wreak this much havoc?

An easy answer

[Overzeetop]

So all we need is a widget on the desktop that allows you to turn on and off the internet connection, and logs all information that goes in and out, along with denying any redirection of data to other than the specific target request (if you send a request to www.google.com, only www.google.com may respond).

Any traffic that isn't specifically requested by the user is blocked. You manually open and close ports as you need them.

Oh, right, that would break most authenticity checks to combat "piracy", and totally botch most advertising on the net, and set us back to the early 90s. BTW - sign me up.

Re:An easy answer

[vtcodger]

***So all we need is a widget on the desktop that allows you to turn on and off the internet connection, and logs all information that goes in and out, along with denying any redirection of data to other than the specific target request (if you send a request to www.google.com, only www.google.com may respond).***

Well .... No, not exactly ... unfortunately.

• Even if all you are worried about is TCP/IP to web sites, you will need to allow traffic to your ISP and your DNS provider. I don't think these connections are entirely invulnerable, but they should be pretty safe ... I think. I could be wrong about this.
• It'd certainly be possible to ignore site redirections within a web browser. I'm not sure how useful it'd be as there are legitimate reasons to redirect. Unfortunately, I don't think any current browser will let you do that. The only user really configurable browser I'm aware of is GRAIL and it is only about 70% complete and likely never will be finished unless somebody decides to take the project over. (You might be able to do a wget script that fetched a website into a file then fed the file to a browser for display. I'm not sure how you would handle clicked links in the web page. Anyway, if you do PERL, Python, or Ruby, you might well be able to hack a prototype together in a few weeks.)
• It'd probably take advertisers and websites who use redirections about 48-96 hours to switch to a system where the website delivers the ads from its own web page, so killing advertising is not a likely side affect.
• Unfortunately, there are a bunch of IP services besides HTTP -- file and printer sharing, SSH, ICMP (ping), FTP, ... The list is pretty long. Each of these runs on their own port(s). You can block these suckers with a firewall and only open the ports when you think you need them. I don't think most users could understand that, and many of those that can understand it probably would run out of patience within a day or two.
• Turning off "unneeded" ports can have unexpected consequences. For example, turing off ICMP will break Path MTU Determination which tries to optimize packet sizes. It's possible to turn PMTUD off (I've done it), but doing so isn't all that much fun.

New PC

[NitsujTPU]

Getting a new PC doesn't make any sense at all. It just gives the bot more resources to munch on.

The root of the problem is responsibility

[Todd+Knarr]

The core of the problem is responsibility, or a lack thereof.

Vendors aren't responsible for the results of the flaws in their programs. Worse, they aren't responsible for deliberate design decisions that make it impossible to secure systems. I make an analogy to automobiles. Auto makers aren't generally liable for defects in cars, unless the source of the defect goes beyond a simple mistake or defective part, but they are responsible for repairing those defects and can be sued if they refuse to do so. And they're liable for design decisions they make. Witness the Ford Pinto. The current state of software liability is akin to Ford claiming that, because they had a valid business reason for building the gas tank on the Pinto the way they did (it was cheaper, thus let them price the car cheaper), they cannot be held liable for the fires that happened as a direct result of their decision. The courts slapped Ford around for making that claim, why are software vendors not treated the same? I can live without strict liability for software flaws, but lack of liability for design decisions that directly lead to security problems is probably the biggest reason we still have problems.

And users aren't held responsible for their use of a computer. They treat it as some sort of plug-and-play device like a television or a radio: plug it in, turn it on and stop thinking about it. A computer isn't an appliance, you can't just ignore it after initial set-up. Again, cars make a good analogy. You can't just ignore a car's maintenance after you buy it, you need to put new tires, new brakes and such on it regularly. And car owners get held liable if they don't. If you wore your brakes out so they don't work anymore and didn't get them serviced, when you rear-end someone because you don't have any brakes you will be held responsible by the courts and the insurance. If you're running on bald tires because you don't think you should have to check and change anything, you're going to get ticketed by the cops at some point for unsafe mechanical condition and the car's registration will get suspended until you fix the problem. Sure it's a hassle and expense to keep maintaining all those things about a car that need maintained, but we don't accept that as an excuse for someone not maintaining them and causing damage or injury to others as a result. So why do we let computer users off the hook when they say "But I don't know anything about computers!".

Software vendors and computer users need to grow up. They've been both acting like spoiled 5-year-olds who were running in the house after being told not to, knocked over the china cabinet and broke everything in it, and now that Mom and Dad are standing there they're whining that they shouldn't have to own up to it and take their punishment. No dice.

Yes! Buy a new PC...

[jlarocco]

and sell your old one cheap.

Just the other day I bought an older Dell that "wouldn't boot" for $15, sans hard drive. An hour of hacking around inside, and I was able to get it going. It's a little old, but it'll make a nice LiveCD tester.

Consumers are getting raped by MS and Dell, but they're not going to learn, so might as well take advantage.

New PC isn't going to help...

[JayTech]

Purchasing a new, "updated" PC is going to give you about as much protection as purchasing a new "updated" vehicle. Sure, you're going to find plenty more safety features to make your drive easier, but bottom line is the vehicle isn't going to be immune to crashes; it's still your duty to drive responsibly. The same goes for your PC - it's your responsibility to secure you PC against the latest threats. As far as the propagation of malware goes, I predict it's only going to get worse. Let's face it - as long as people remain uneducated to the dangers of malware, and haven't really been affected by it firsthand, they aren't going to make an effort to protect themselves. They'll keep paying Norton $20+ a year for non-existent protection, as long as it makes them feel safe.

Look at it logically and focus your efforts.

[khasim]

There are a limited number of ways for a machine to be cracked.

#1. Worms - if you don't have any open ports, then you're pretty much immune to worms (unless they can crack basic TCP/IP operations). Ubuntu ships BY DEFAULT with no open ports. Windows ships with lots of open ports. Change that behaviour and you've solved an entire CLASS of attacks.

#2. Viruses - an infected program infects other programs, but does not otherwise change those programs. This is not very common now.

#3. Trojans - this is the biggest current threat. And there is no real way to remove it 100%, but it CAN be limited (again, look at Ubuntu). This is primarily a social engineering attack. You have to convince the user to run an app or open a message that will exploit a flaw in their email app (and so forth).

So, why aren't we seeing a focus on the biggest security issue?

Why hasn't Microsoft released a bootable CD so you can run the anti-virus/spyware/adware stuff easier? Clean up the junk AND patch the vulnerabilities in Outlook. Even if it means turning off some of the functionality.

If you cannot do it securely, then you should not do it.

Re:Look at it logically and focus your efforts.

[mistralol]

Well thats not really true. There is almost an unlimited number of ways a machine can be compromised.
Most of them still valid.

A program written for a specific task downloaded and run by the end user does not fall into the categories you list.

First problem with XP and SP2 was its new security features did very little. Like come on it now asks the end users is this ok to run ? but the problem is the first time they saw things like this every time they clicked no their programs didnt work. So from then on they always click yes.

Security != Asking an end user something they dont understand.

I am pritty sure as a whole security is being tackled in the wrong way.
From what i can see ever security problem is being tackled by 3rd party software to take care of a problem that should not exist in the first place.

eg Virus's are taken down by Anti Virus software. If you ask some basic information on an non-technical end user about what a anti virus program does and how it works. They are not aware that something like symantec does not garentee protection but is only able to tell you that it doesnt see a virus that exists in its database.

Something that i have been looking for for windows for a long time is a simple connection tacking firewall that will support rule based filtering. Like the basic functions of iptables. eg will track connections and allow / block / drop on different ports and flags. There currently is nothing that i know of for windows that will support this. They all ask the end user. The end user doesnt know the answer. Therefore why install the firewall in the first place.

I see currently security practices as a method of fire fighting only! Only in this case the fire is much more powerful that the fighters. A great example of this is the spam wars. Create spam filter. Spammers work around filter. Create better adapted spam filter. Spammers find workarounds. Create DNS blacklists. Spammers change method of sending spam. But during the whole time if the SMTP protocol was fixed. The problem could be elimenated overnight.

We need the same sort of approach for security. While discussing this the other day in work with people we reached an agreement that it is currently impossible to protect end users when any sort of permissions are required for running lots of bady written applications.

Use Macs

[Delifisek]

Or Linux
Case Closed

Re:Use Macs

As I was recently talking to some of my friends, the biggest mistake of Microsoft is being so popular. That is, the reason why nobody hacks Windows 98 machines, is because there are few (Reason why I left my parents computer with Windows 98 for what they need, and I don't need to worry that much).

I would believe that if users start using more and more whatever you propose here, they will find flaws that lazy users fall on.

I mean, linux can be a pretty secure OS, but make it the most popular, and every hacker will be aiming to hack regular user systems. That hasn't been a problem, since linux users are experimented so far. I'm certainly waiting for linux to be the most popular OS!

Firewalling them is not the same as closing them.

[khasim]

IIRC, it hasn't since XP SP2 as the firewall is enabled by default. Any open ports a users system has since then is because they allowed those connections themselves.

Nope. There are still lots of ports open, it's just that Microsoft put a firewall on the system, too.

The problem still exists. But now there is a wrapper obscuring it that you have to get through. That isn't solving the problem. That's just attempting to hide it.

And exploits have been found for Microsoft's firewall. Which demonstrates the problem with not solving it at the lowest level.

I can put an Ubuntu machine with a default install onto the Internet without any firewall and still be safe from worms.

I cannot do that with WinXP (or Win2K or Win9x or WinNT). If you aren't solving the problem at the lowest level, you're not really solving it. You're just hiding it.

Re:I want a big red button

[gradedcheese]

We have that now, it's just that we type 'sudo' rather than pushing a big red button, but it's the same effect. For you, perhaps we can wire up a red button that echoes 'sudo' to your shell?

Re:I want a big red button

mmmm... stupid lusers press "Ok" on those security warnings that software pops up all the time...
It will not be different if it is a physical button. This CAN NOT be done in any technical way, the only way is to educate lusers to become users... and it is a real pain in the ass when those dickheads in Redmond are telling people that any bloody idiot can use a computer. There should be a bloody "Computer user license", 60 hours of education in computer security, with checks every 2 years.

--

AC without cause...

Re:I want a big red button

sudo ? on Windows ?? it's called RunAs... but in the most wonderful MS world msiexec can install software without you having admin rights... and this process can be trigged by ActiveX too...

Push for Windows CDs

[astrashe]

The problem is exacerbated by the reluctance of MS and PC vendors to give out Windows CDs that can be used to wipe and reinstall systems. They should build pockets into the sides of cases for the CDs so people don't lose them, and slipstream all the drivers in, and put instructions to boot the restore disk on the CD label itself.

Heck, a 700MB USB flash drive isn't expensive now. They should build read only flash drives with windows into the box, and put an option to run a reinstall in the bios. Solder it in so no one will steal it.

It's the least they could do, considering. I mean, Windows compes preinstalled on almost every PC sold, and there are a zillion pirate copies of Windows floating around on the net, so hardly anyone needs to steal it, and anyone who wants to steal it can. But legitimate users are screwed when they have problems because they don't get CDs, because giving them CDs would encourage piracy. And, I suspect, because it's good for business if people trapped in a monopoly have to buy extra computers to solve this problem.

Re:Firewalling them is not the same as closing the

[Akaihiryuu]

I wish more people would point this out! A firewall by itself is not security. It's just an extra layer of protection. Protecting insecure apps by putting them behind a firewall is a recipe for disaster. Ideally, you should be able to turn your firewall off and still not be any more vulnerable. The primary function of a firewall is to reduce visibility, not add security.

Not quite....

[Dcnjoe60]

Being proficient with a computer is not optional if you want to own and use a computer. Learn about TCP/IP. Learn about NAT. Learn about not trusting everything. Learn about understanding how things work at least a little bit before you try to run. You don't need to be a security guru, but you can't get by thinking you can just use a computer and never have to learn anything more about it than that.

Ummm, most Mac OS X users don't have to know anything about TCP/IP or NAT, etc. Of course, they have an OS that has security built in at a very low level, not tacked on as an after thought. Windows, at least through XP, is still based on the notion that it wants to make it easy to connect to everything and everyone. As such, it's pretty open and malware takes advantage of that. OS X and the various *nix distros start at the other end of the spectrum where things are locked down unless you open them up (although OS X has more opened up than, say Ubuntu and various other linii).

As others have posted, if Windows shipped with all ports closed except those that were really needed, then the user wouldn't need to worry about all these things. They wouldn't be opening a port until they needed it for some specific application and then that application could explain the dangers, if any to having the port open. It's basically a compromise between ease of use and security. Microsoft chose to maintain it's ease of use model from the pre-internet days, when everything was local and has tried to add security on top. It just doesn't work that well.

So, the real choice is, it seems, that if you want a Windows pc, then you need to learn about TCP/IP, NAT, firewalls, etc. On the otherhand, if you just want to use your computer, either buy a Mac or put a secure Linux, like Ubuntu, on your pc. (I just use Ubuntu as an example, there are others, too)

And without a single use of "hacker"

[rrohbeck]

Kudos.

how come no mention of DDOS?

[circletimessquare]

i thought holding a website for ransom or unleashing a botnet DDOS to shut them down was a problem, but the topic was never touched on in the NYT article

is it because the issue is outside the scope of the article or am i hopelessly behind the times and that's not really a problem anymore for some reason i'm not aware of?

Re:Bullshit: Just turn off services.

[ralphdaugherty]

...but I just do not buy the rubbish that every Windows machine gets compromised in five minutes.

      I don't know why your post is considered Insightful. Because you said 5 minutes instead of 12 minutes? This from MSFT's web site:

http://www.microsoft.com/technet/desktopdeployment /articles/080305tn.mspx
Techniques for Patching New Computers
Published: August 3, 2005
By Tony Northrup

I've Been Hacked Already?

A few years ago, I was doing systems engineering work for a technology firm when a UNIX systems administrator asked me to help him with a problem. He used a computer running the Microsoft Windows operating system and connected to the public Internet for testing, and that computer was behaving strangely. I took a quick look at it and immediately recognized the problem: The computer was infected with a worm.

"Okay. Now how do I get rid of it?" he asked.

"The computer doesn't belong to you anymore; it belongs to the bad guys now. You don't know what they might have done with it. Reformat it, re-install Windows, and get it patched."

He rebuilt it and came back to me in about an hour. His computer had become infected with the same worm while he was trying to install the security updates.

According to Sophos research published July 1, 2005, there's a 50 percent chance that an unpatched computer running the Windows operating system will be infected with a worm within 12 minutes of being connected to the Internet. That's bad news, because downloading and installing all the latest updates takes longer than 12 minutes. If you're deploying hundreds of computers, you really have no chance. So, how can you keep your new computers from being attacked before you can update them?

end quote

  rd

Re:I want a big red button

[budgenator]

RunAs is a poor substitute for sudo, a big problem with it is this scenario:

1. user goes to website,
2. browser tell user about missing plugin
3. user downloads missing plugin and save to desktop
4. user rt.clicks installer -> RunAs -> Admin
5. user gets error message "user Admin has insufficient privileges to open file"
6. user says fuck this, runs as Admin and gets pwned

yup that's right in windows Admin isn't trusted enough to look at a users files, so next time the user tries to get tricky:

1. user goes to website,
2. browser tell user about missing plugin
3. user downloads missing plugin and save to a shared folder
4. user rt.clicks installer -> RunAs -> Admin
5. user gets error message "user Admin has insufficient privileges to open file"
6. user says fuck this, runs as Admin and gets pwned

user contacts freindly neighborhood computer geek who's used Linux since 1995 to figure out how to install simple plugins W/O running as Admin. Of course I scoured the windows knowlegebase without results, google without results, I've asked every windows admin type who sounded like he knew his ass from a hole in the ground with out results. Eventually by pure trial and error I discover that:

1. user goes to website,
2. browser tell user about missing plugin
3. user downloads missing plugin and save to desktop
4. user copies missing plugin from desktop to a shared folder
5. user rt.clicks installer -> RunAs -> Admin
6. Botta-boom, botta-bing the thing installs!

Now if I've been dual-booting Linux and Windows 3.1/Dos 6.22 and it took me 3 frigging years to figure out how to install a plugin in Windows XP-SP2 without dropping reasonable security, what chance does the average windows noob stand to avoid being pwnd?