The NYT on the Proliferation of Botnets
ThinkComp writes "The New York Times has a up a story on the proliferation of botnets. The article cites a number of security researchers who paint a depressing picture of the state of internet security, and concludes with the suggestion that for home users, buying a new 'updated' PC may be the only real solution. Unfortunately, as most of us know, given the number of outstanding flaws in software and the ingenuity of malicious software authors, that might not even help."
Been done already. And it didn't work out so well IIRC.
Waiter Rant (some blog) covered this recently http://waiterrant.net/wordpress2/?p=400
..... .....
"Same old," Arthur says. "How's the writing thing going?"
"Harder than I expected," I say. "But thank God for computers. I can't imagine typing this all out on a typewriter."
"Computers are great," Arthur says. "Until they go wrong."
"Ain't that the truth."
"My old computer was so infested with porn I had to throw it out," Arthur says.
"No way," I reply, taking a sip from my martini.
"I'm not kidding."
"Couldn't you reformat the hard drive?"
"My ex brother-in-law tried to fix it," Arthur says, wiping down the bar with his towel. "He's a computer geek and even he couldn't do it."
"What the hell were you looking at?" I ask.
"Nothing illegal," the bartender says, suddenly defensive.
"Sure."
"I swear," Arthur says. "I'm surfing the net, minding my own business...."
"Looking at naked women."
"Perusing all the wonderful smut the internet has to offer," Arthur continues, "When a porn demon possesses my laptop."
"Porn demon?"
"Yeah," Arthur says, throwing up his hands. "A million pop-ups start exploding on the screen."
"Oh no," I mutter.
"So," Arthur says, pulling a frosted glass out of the freezer, "I had a millions pop ups. It took me forever to close them. My ex-wife saw them."
"I'm not gonna even ask what she was doing there."
Arthur just smiles. "So the computer's completely fucked," he says. "Ran slow, acted weird - the works."
"Didn't you run a virus scan?"
"This isn't a virus," Arthur cautions. "It's a porn demon. Virus scans are powerless against it."
"I don't think the church exorcises computers," I say.
"You sure?"
I chuckle to myself. Every Catholic diocese has an official exorcist. I used to know the one from mine. It's a secret, mostly ceremonial post. Despite what you see in the movies, Linda Blair scenes are few and far between. Something tells me the Church isn't gonna whip out the bell, book, and candle to save a Duo-Core processor.
"I'm sure," I say.
"That's too bad," Arthur says. "My brother-in-law gave up. I had to throw the damn thing in the trash."
"I don't know what's worse," I say. "You buying a new computer or your ex brother-in- law trying to fix it."
"I learned my lesson," Arthur says, pouring my drink into the frosted glass. "I had to spend a grand on a new computer. No more internet porn for me."
Seems drastic but it did solve the problem. - i make no comment about the tech but thats a user for you.
As a current Vista user I can tell you the following: Microsoft has a high priority of not being blamed for security issues. Their solution is to through the UAC (User Account Control) warn the user before he makes any action that could potentially be harmful to the system. This is just about any action. "WARNING! Operation 'use keyboard' is a high security risk. Press any key to abort." Ok, perhaps not that bad - but nearly. If you are an experienced user, you will turn UAC off after cursing at Microsoft for 15 minutes. If you are an inexperienced user you will just blindly accept the warning - otherwise you can't use your computer normally. In effect the operating system is constantly crying wolf and there is no way in hell an inexperienced user will be able to tell the difference between an irrelevant warning and a relevant one. Vista is also supposed to be much more secure under the hood. I really hope so, because their approach to user based security sucks. The only real point that I can see is avoiding getting sued.
I cannot believe people are still saying this. How many stories about botnets do we have to have on Slashdot before people realise that UNIX is not secure either.
Look. The vast majority of this crap comes in via browser exploits these days. Running malicious attachments etc is not such a favoured technique anymore. There is nothing in UNIX that stops applications from being written in an insecure fashion, there is nothing in UNIX that stops apps hooking each other to hell and back (which is largely what these bots are doing when they steal data), there is nothing in UNIX that even makes it hard to install a rootkit. Just phish the password out of the user, or wait until an authentication dialog appears and overlay your own, or wait until a privilege escalation attack is found (new ones appear all the time). But as you don't need root to steal data, send spam, display popup ads or any of the other things bots do this is really just a nice-to-have bonus, it's not essential.
The fundamental architecture of Windows NT is no different to UNIX these days. They are both seriously flawed because they are based on a threat model from the 70s, when the world of computing was totally different. Having an administrator user and also a "regular" user who are really the same person is a nasty hack that doesn't solve the problems at all. Apple don't have the answers ... have you seen how easy it is to suck SSL protected form data out of Safari? Neither does the Linux community. SELinux has gone down the route of totally static policy, which is fine for servers but worthless for desktops.
MacOS and Linux are statistically insignificant, but if people keep recommending them as a "solution" then soon they won't be and then we'll find, oh look, it's just as easy to create Mac botnets as it is Windows botnets. What little trust is left in computer security people will then be gone.
The fact is, residential computing is fucked. Utterly, utterly fucked. The guy quoted by the NYT is right, the war was already lost a long time ago, and people keep pretending it wasn't. The war was lost when the computing community decided that user based DAC security models could stop malicious software. They can't, they don't, and they never will so please stop saying MacOS or Linux are somehow inherantly better, when they aren't! They are at best temporary band-aids.