Slashdot Mirror
The NYT on the Proliferation of Botnets
ThinkComp writes "The New York Times has a up a story on the proliferation of botnets. The article cites a number of security researchers who paint a depressing picture of the state of internet security, and concludes with the suggestion that for home users, buying a new 'updated' PC may be the only real solution. Unfortunately, as most of us know, given the number of outstanding flaws in software and the ingenuity of malicious software authors, that might not even help."
On that note, how long before some vigilante creates their own botnet and uses it to keep hundreds of thousands of machines up-to-date on their security, spyware-free, and running Folding@Home or something in their spare cycles?
The World Wide Web is dying. Soon, we shall have only the Internet.
An older Windows release, reasonably patched,
running under Linux (win4lin) and behind a paranoid
firewall is safer than XP or Vista.
Alas, not as safe as an unpached RH9, mind you,
but still safer than Vista (;-))
--dave
davecb@spamcop.net
Capitol Punishment on national television for owners of botnets. ,but it has to be bareass.
O.K.,O.K. maybe just corporal punishment
*Repent!Quit Your Job!Slack Off!The World Ends Tomorrow and You May Die!
Been done already. And it didn't work out so well IIRC.
When a corporation creates a product that is unsafe not just to its user, but to many thousands of others, and provides instructions for that product which, even if faithfully and fully followed by its user, are insufficient to prevent it from causing damage and suffering to thousands of others, that corporation should be liable for the damage and suffering.
If you sell me a chain saw, and I ignore the instructions and cut off my hand, it's my own damn fault. If I ignore morality and criminality and cut off my spouse's head, it's still my own damn fault. But if the chainsaw goes off on its own power, while I'm sleeping, and slices and dices the whole damn town, it's your fault for selling me such a product, especially if you manufactured it with the knowledge that it could, in certain not-uncommon circumstances, do exactly that.
"with their freedom lost all virtue lose" - Milton
unless you know how to secure it and maintain it.
The people offering this "advice" have got to be idiots. True, it might cost more to pay someone else to de-own your PC and train you on how to avoid problems in the future than the cost of replacing the hardware. That doesn't mean that educating yourself isn't the right answer though. What does buying a new machine do to make you more secure? Buy a $400 brand spankin' new bottom of the line Dell, throw it up on the net, and get owned in under 20 minutes. Does anyone make the $1200/hr it would take to keep a steady supply of new bottom of the line bot-to-be PC's flowing into the households of idiot users who can't be bothered with learning fundamental literacy?
Being proficient with a computer is not optional if you want to own and use a computer. Learn about TCP/IP. Learn about NAT. Learn about not trusting everything. Learn about understanding how things work at least a little bit before you try to run. You don't need to be a security guru, but you can't get by thinking you can just use a computer and never have to learn anything more about it than that. Casual users on the internet are presently walking through the worst parts of town with $100 bills sticking out of their pockets, and until they can figure out that this isn't smart and why and what to do better, they're going to continue to get themselves in trouble and drag down the community by feeding the predators that eat away at it.
You see? You see? Your stupid minds! Stupid! Stupid!
So all we need is a widget on the desktop that allows you to turn on and off the internet connection, and logs all information that goes in and out, along with denying any redirection of data to other than the specific target request (if you send a request to www.google.com, only www.google.com may respond).
Any traffic that isn't specifically requested by the user is blocked. You manually open and close ports as you need them.
Oh, right, that would break most authenticity checks to combat "piracy", and totally botch most advertising on the net, and set us back to the early 90s. BTW - sign me up.
Is it just my observation, or are there way too many stupid people in the world?
Getting a new PC doesn't make any sense at all. It just gives the bot more resources to munch on.
The core of the problem is responsibility, or a lack thereof.
Vendors aren't responsible for the results of the flaws in their programs. Worse, they aren't responsible for deliberate design decisions that make it impossible to secure systems. I make an analogy to automobiles. Auto makers aren't generally liable for defects in cars, unless the source of the defect goes beyond a simple mistake or defective part, but they are responsible for repairing those defects and can be sued if they refuse to do so. And they're liable for design decisions they make. Witness the Ford Pinto. The current state of software liability is akin to Ford claiming that, because they had a valid business reason for building the gas tank on the Pinto the way they did (it was cheaper, thus let them price the car cheaper), they cannot be held liable for the fires that happened as a direct result of their decision. The courts slapped Ford around for making that claim, why are software vendors not treated the same? I can live without strict liability for software flaws, but lack of liability for design decisions that directly lead to security problems is probably the biggest reason we still have problems.
And users aren't held responsible for their use of a computer. They treat it as some sort of plug-and-play device like a television or a radio: plug it in, turn it on and stop thinking about it. A computer isn't an appliance, you can't just ignore it after initial set-up. Again, cars make a good analogy. You can't just ignore a car's maintenance after you buy it, you need to put new tires, new brakes and such on it regularly. And car owners get held liable if they don't. If you wore your brakes out so they don't work anymore and didn't get them serviced, when you rear-end someone because you don't have any brakes you will be held responsible by the courts and the insurance. If you're running on bald tires because you don't think you should have to check and change anything, you're going to get ticketed by the cops at some point for unsafe mechanical condition and the car's registration will get suspended until you fix the problem. Sure it's a hassle and expense to keep maintaining all those things about a car that need maintained, but we don't accept that as an excuse for someone not maintaining them and causing damage or injury to others as a result. So why do we let computer users off the hook when they say "But I don't know anything about computers!".
Software vendors and computer users need to grow up. They've been both acting like spoiled 5-year-olds who were running in the house after being told not to, knocked over the china cabinet and broke everything in it, and now that Mom and Dad are standing there they're whining that they shouldn't have to own up to it and take their punishment. No dice.
and sell your old one cheap.
Just the other day I bought an older Dell that "wouldn't boot" for $15, sans hard drive. An hour of hacking around inside, and I was able to get it going. It's a little old, but it'll make a nice LiveCD tester.
Consumers are getting raped by MS and Dell, but they're not going to learn, so might as well take advantage.
Maybe not
Good idea, until someone finds a hole in the software that handles the big red button. Apple actually did something like this a while back for system updates. There was a "programmer button" on the back you had to press in order to install the update.
"I think an etch-a-sketch with an ethernet port would beat IE7 in web standards compliance."
Purchasing a new, "updated" PC is going to give you about as much protection as purchasing a new "updated" vehicle. Sure, you're going to find plenty more safety features to make your drive easier, but bottom line is the vehicle isn't going to be immune to crashes; it's still your duty to drive responsibly. The same goes for your PC - it's your responsibility to secure you PC against the latest threats. As far as the propagation of malware goes, I predict it's only going to get worse. Let's face it - as long as people remain uneducated to the dangers of malware, and haven't really been affected by it firsthand, they aren't going to make an effort to protect themselves. They'll keep paying Norton $20+ a year for non-existent protection, as long as it makes them feel safe.
There are a limited number of ways for a machine to be cracked.
#1. Worms - if you don't have any open ports, then you're pretty much immune to worms (unless they can crack basic TCP/IP operations). Ubuntu ships BY DEFAULT with no open ports. Windows ships with lots of open ports. Change that behaviour and you've solved an entire CLASS of attacks.
#2. Viruses - an infected program infects other programs, but does not otherwise change those programs. This is not very common now.
#3. Trojans - this is the biggest current threat. And there is no real way to remove it 100%, but it CAN be limited (again, look at Ubuntu). This is primarily a social engineering attack. You have to convince the user to run an app or open a message that will exploit a flaw in their email app (and so forth).
So, why aren't we seeing a focus on the biggest security issue?
Why hasn't Microsoft released a bootable CD so you can run the anti-virus/spyware/adware stuff easier? Clean up the junk AND patch the vulnerabilities in Outlook. Even if it means turning off some of the functionality.
If you cannot do it securely, then you should not do it.
Nope. There are still lots of ports open, it's just that Microsoft put a firewall on the system, too.
The problem still exists. But now there is a wrapper obscuring it that you have to get through. That isn't solving the problem. That's just attempting to hide it.
And exploits have been found for Microsoft's firewall. Which demonstrates the problem with not solving it at the lowest level.
I can put an Ubuntu machine with a default install onto the Internet without any firewall and still be safe from worms.
I cannot do that with WinXP (or Win2K or Win9x or WinNT). If you aren't solving the problem at the lowest level, you're not really solving it. You're just hiding it.
We have that now, it's just that we type 'sudo' rather than pushing a big red button, but it's the same effect. For you, perhaps we can wire up a red button that echoes 'sudo' to your shell?
throw the computer users a bone sheesh!
Paycheck? They get screensavers. Just take a popular screensaver, write a hostile wrapper, and upload it to your scum site. If antivirus software removes your malware, some users will even reinstall it.
sudo ? on Windows ?? it's called RunAs... but in the most wonderful MS world msiexec can install software without you having admin rights... and this process can be trigged by ActiveX too...
The problem is exacerbated by the reluctance of MS and PC vendors to give out Windows CDs that can be used to wipe and reinstall systems. They should build pockets into the sides of cases for the CDs so people don't lose them, and slipstream all the drivers in, and put instructions to boot the restore disk on the CD label itself.
Heck, a 700MB USB flash drive isn't expensive now. They should build read only flash drives with windows into the box, and put an option to run a reinstall in the bios. Solder it in so no one will steal it.
It's the least they could do, considering. I mean, Windows compes preinstalled on almost every PC sold, and there are a zillion pirate copies of Windows floating around on the net, so hardly anyone needs to steal it, and anyone who wants to steal it can. But legitimate users are screwed when they have problems because they don't get CDs, because giving them CDs would encourage piracy. And, I suspect, because it's good for business if people trapped in a monopoly have to buy extra computers to solve this problem.
I wish more people would point this out! A firewall by itself is not security. It's just an extra layer of protection. Protecting insecure apps by putting them behind a firewall is a recipe for disaster. Ideally, you should be able to turn your firewall off and still not be any more vulnerable. The primary function of a firewall is to reduce visibility, not add security.
Being proficient with a computer is not optional if you want to own and use a computer. Learn about TCP/IP. Learn about NAT. Learn about not trusting everything. Learn about understanding how things work at least a little bit before you try to run. You don't need to be a security guru, but you can't get by thinking you can just use a computer and never have to learn anything more about it than that.
Ummm, most Mac OS X users don't have to know anything about TCP/IP or NAT, etc. Of course, they have an OS that has security built in at a very low level, not tacked on as an after thought. Windows, at least through XP, is still based on the notion that it wants to make it easy to connect to everything and everyone. As such, it's pretty open and malware takes advantage of that. OS X and the various *nix distros start at the other end of the spectrum where things are locked down unless you open them up (although OS X has more opened up than, say Ubuntu and various other linii).
As others have posted, if Windows shipped with all ports closed except those that were really needed, then the user wouldn't need to worry about all these things. They wouldn't be opening a port until they needed it for some specific application and then that application could explain the dangers, if any to having the port open. It's basically a compromise between ease of use and security. Microsoft chose to maintain it's ease of use model from the pre-internet days, when everything was local and has tried to add security on top. It just doesn't work that well.
So, the real choice is, it seems, that if you want a Windows pc, then you need to learn about TCP/IP, NAT, firewalls, etc. On the otherhand, if you just want to use your computer, either buy a Mac or put a secure Linux, like Ubuntu, on your pc. (I just use Ubuntu as an example, there are others, too)
I really, really don't get it. It's not that hard to keep a Windows box safe. I do understand how grandma can screw up, but I just do not buy the rubbish that every Windows machine gets compromised in five minutes.
People talk about "open ports." To me, that's right up there with "oh no! My IP address is visible!" paranoia. It's just not how computers work! Worms don't somehow jump into your computer through magic holes called "ports:" They exploit bugs in services.
So, disable all the services you don't need. Get rid of the blasted Windows filesharing cruft. Shoot the scripting host. Turn off the remote desktop crap. Look through all the services, and just clean all that junk out. If you don't have idiot programs running that worms can fool into executing arbitrary code or otherwise misbehaving, you're ok! Then connect to the 'net and install the latest updates. In the time it takes you to do that, nobody will jump up through your NIC and give your computer gonorrea.
A firewall is a safety net, and it makes perfect sense in, say, a production IT department to have as many safety nets and backups as you can. But a properly-configured machine, without exploitable crap running, shouldn't strictly need it, and I really think that a competent personal user can easily stay safe.
As for the "security software" the article speaks of: Though an up-to-date antivirus is a decent idea, most software firewalls and other pieces of security software really just operate something like modern-day politicians, keeping users alarmed so as to justify their own existance. "Someone is trying to HACK you!" they scream, as an innocent ICMP ping request arrives at your computer. Pfft. Save your CPU cycles and just don't be a fool!
Kudos.
thegodmovie.com - watch it
i thought holding a website for ransom or unleashing a botnet DDOS to shut them down was a problem, but the topic was never touched on in the NYT article
is it because the issue is outside the scope of the article or am i hopelessly behind the times and that's not really a problem anymore for some reason i'm not aware of?
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
Sorry, but the primary function of a firewall is indeed to add security. My website is protected by a firewall but it still receives millions of hits and several hundred thousand pageviews. It's safe to say its quite visible and I wish it to remain so. You're right that a firewall is an additional layer of protection and is by no means the only layer. Sometimes you are forced to run an insecure app though and in those times you thank your lucky stars you have proper firewalls and routers and VLANs and RADIUS to help protect your services.
I don't know, I see the basic advice about security everywhere I look. You can't go to any security-related Web site, or even Microsoft's site, without hearing the basic common-sense rules I learned from other people in the BBS community back 25 years ago when I was in high school. Don't install software from sources you don't know and trust. Don't use software that downloads and runs stuff from external sources automatically. Put a hardware router with a firewall between your computer and the Internet. E-mail is text, don't try and treat it as anything else (or use a program that'll treat it as anything else) until after you've reviewed it to confirm that the non-text parts are really what you expect them to be. Don't trust e-mail just because of who the sender is, you know about all the viruses that use the address book to spread themselves and there's no guarantee the sender of that e-mail didn't get infected with one of 'em. None of that's rocket science, and it probably addresses 80% of the problems out there.
...but I just do not buy the rubbish that every Windows machine gets compromised in five minutes.
t /articles/080305tn.mspx
I don't know why your post is considered Insightful. Because you said 5 minutes instead of 12 minutes? This from MSFT's web site:
http://www.microsoft.com/technet/desktopdeploymen
Techniques for Patching New Computers
Published: August 3, 2005
By Tony Northrup
I've Been Hacked Already?
A few years ago, I was doing systems engineering work for a technology firm when a UNIX systems administrator asked me to help him with a problem. He used a computer running the Microsoft Windows operating system and connected to the public Internet for testing, and that computer was behaving strangely. I took a quick look at it and immediately recognized the problem: The computer was infected with a worm.
"Okay. Now how do I get rid of it?" he asked.
"The computer doesn't belong to you anymore; it belongs to the bad guys now. You don't know what they might have done with it. Reformat it, re-install Windows, and get it patched."
He rebuilt it and came back to me in about an hour. His computer had become infected with the same worm while he was trying to install the security updates.
According to Sophos research published July 1, 2005, there's a 50 percent chance that an unpatched computer running the Windows operating system will be infected with a worm within 12 minutes of being connected to the Internet. That's bad news, because downloading and installing all the latest updates takes longer than 12 minutes. If you're deploying hundreds of computers, you really have no chance. So, how can you keep your new computers from being attacked before you can update them?
end quote
rd
Unless your firewall is a reverse proxy, you are still vulnerable to exploits in yur code, or the webserver.
Firewalls are bandaids, there is no replacement for well written, secure code.
I can throw myself at the ground, and miss.
The last DSL broadband service that I worked through used their own SMTP relay server. This had a rate circuit breaker so that if you sent out loads of emails, it would switch off. Most particularly on that router I had it set up that port 25 access only went to the relay so unless the bot was clever enough to find it then the logfile from the firewall would give me a chance to fix the problem.
See my journal, I write things there
yup that's right in windows Admin isn't trusted enough to look at a users files, so next time the user tries to get tricky:
user contacts freindly neighborhood computer geek who's used Linux since 1995 to figure out how to install simple plugins W/O running as Admin. Of course I scoured the windows knowlegebase without results, google without results, I've asked every windows admin type who sounded like he knew his ass from a hole in the ground with out results. Eventually by pure trial and error I discover that:
Now if I've been dual-booting Linux and Windows 3.1/Dos 6.22 and it took me 3 frigging years to figure out how to install a plugin in Windows XP-SP2 without dropping reasonable security, what chance does the average windows noob stand to avoid being pwnd?
Apocalypse Cancelled, Sorry, No Ticket Refunds