The NYT on the Proliferation of Botnets

ThinkComp writes "The New York Times has a up a story on the proliferation of botnets. The article cites a number of security researchers who paint a depressing picture of the state of internet security, and concludes with the suggestion that for home users, buying a new 'updated' PC may be the only real solution. Unfortunately, as most of us know, given the number of outstanding flaws in software and the ingenuity of malicious software authors, that might not even help."

Capitol Punishment

[flyneye]

Capitol Punishment on national television for owners of botnets.
O.K.,O.K. maybe just corporal punishment ,but it has to be bareass.

Make Microsoft liable

[wytcld]

When a corporation creates a product that is unsafe not just to its user, but to many thousands of others, and provides instructions for that product which, even if faithfully and fully followed by its user, are insufficient to prevent it from causing damage and suffering to thousands of others, that corporation should be liable for the damage and suffering.

If you sell me a chain saw, and I ignore the instructions and cut off my hand, it's my own damn fault. If I ignore morality and criminality and cut off my spouse's head, it's still my own damn fault. But if the chainsaw goes off on its own power, while I'm sleeping, and slices and dices the whole damn town, it's your fault for selling me such a product, especially if you manufactured it with the knowledge that it could, in certain not-uncommon circumstances, do exactly that.

Re:Make Microsoft liable

[tomhudson]

If I ignore morality and criminality and cut off my spouse's head, it's still my own damn fault.

Hans Reiser, is that you?

Re:Make Microsoft liable

[petrus4]

And what if it's a GPL'd chainsaw that you made in college, put on the internet for people to copy and use if they want, but never took the time to test thoroughly?

Ever been part of the warez scene on IRC?

I'm assuming you haven't, so I'll explain. That system is entirely trust based, and self-regulating. If a file ever comes from anyone which has a virus or anything else suspect included, the source of the file immediately gets ostracised, at least as a source, and most likely in terms of download access as well, since the system is based on reciprocal trade. Wrong, I hear you say...what about cracks coming from warez *web* sites or p2p nets which have malware? Said malware would likely be put into the archives by the webmasters of those sites themselves...the upstream cracking groups would NOT be doing it, because there are a lot of people in the warez food chain who are not going to want to receive/propogate known malicious files. ANY group which includes files for compromising a system with a release has just destroyed its' ability to subsequently release files that people will trust at any point in the future. Ditto for eMule files that have nasties in them...they get intercepted/recreated downstream. That is part of the entire reason why nets like eMule use the sorts of file hashing systems that they do; if you know the hash of a particular group's release, you can download said release and get entirely clean warez.

Ditto with any moron who was going to be dumb enough to try and write GPL licensed malware...they'd gain a horrible reputation very, very quickly. The other thing is, anyone who is sufficiently interested in doing the wrong thing as to be writing malware in the first place is not going to care about licensing it unless they are exceptionally stupid...which malware authors generally aren't. Sociopathic and deserving of being used as live shark bait, yes. Stupid, no.

Accidental bugs which lead to buffer overflows and such are different. They are unavoidable, and people know that...despite the best of developer intentions, occasionally they happen. As such, although the author of said bug will not risk ostracision for authoring it, in most cases (at least if the program in question has more than half a dozen or so users) it gets patched very quickly.

An easy answer

[Overzeetop]

So all we need is a widget on the desktop that allows you to turn on and off the internet connection, and logs all information that goes in and out, along with denying any redirection of data to other than the specific target request (if you send a request to www.google.com, only www.google.com may respond).

Any traffic that isn't specifically requested by the user is blocked. You manually open and close ports as you need them.

Oh, right, that would break most authenticity checks to combat "piracy", and totally botch most advertising on the net, and set us back to the early 90s. BTW - sign me up.

New PC

[NitsujTPU]

Getting a new PC doesn't make any sense at all. It just gives the bot more resources to munch on.

The root of the problem is responsibility

[Todd+Knarr]

The core of the problem is responsibility, or a lack thereof.

Vendors aren't responsible for the results of the flaws in their programs. Worse, they aren't responsible for deliberate design decisions that make it impossible to secure systems. I make an analogy to automobiles. Auto makers aren't generally liable for defects in cars, unless the source of the defect goes beyond a simple mistake or defective part, but they are responsible for repairing those defects and can be sued if they refuse to do so. And they're liable for design decisions they make. Witness the Ford Pinto. The current state of software liability is akin to Ford claiming that, because they had a valid business reason for building the gas tank on the Pinto the way they did (it was cheaper, thus let them price the car cheaper), they cannot be held liable for the fires that happened as a direct result of their decision. The courts slapped Ford around for making that claim, why are software vendors not treated the same? I can live without strict liability for software flaws, but lack of liability for design decisions that directly lead to security problems is probably the biggest reason we still have problems.

And users aren't held responsible for their use of a computer. They treat it as some sort of plug-and-play device like a television or a radio: plug it in, turn it on and stop thinking about it. A computer isn't an appliance, you can't just ignore it after initial set-up. Again, cars make a good analogy. You can't just ignore a car's maintenance after you buy it, you need to put new tires, new brakes and such on it regularly. And car owners get held liable if they don't. If you wore your brakes out so they don't work anymore and didn't get them serviced, when you rear-end someone because you don't have any brakes you will be held responsible by the courts and the insurance. If you're running on bald tires because you don't think you should have to check and change anything, you're going to get ticketed by the cops at some point for unsafe mechanical condition and the car's registration will get suspended until you fix the problem. Sure it's a hassle and expense to keep maintaining all those things about a car that need maintained, but we don't accept that as an excuse for someone not maintaining them and causing damage or injury to others as a result. So why do we let computer users off the hook when they say "But I don't know anything about computers!".

Software vendors and computer users need to grow up. They've been both acting like spoiled 5-year-olds who were running in the house after being told not to, knocked over the china cabinet and broke everything in it, and now that Mom and Dad are standing there they're whining that they shouldn't have to own up to it and take their punishment. No dice.

Look at it logically and focus your efforts.

[khasim]

There are a limited number of ways for a machine to be cracked.

#1. Worms - if you don't have any open ports, then you're pretty much immune to worms (unless they can crack basic TCP/IP operations). Ubuntu ships BY DEFAULT with no open ports. Windows ships with lots of open ports. Change that behaviour and you've solved an entire CLASS of attacks.

#2. Viruses - an infected program infects other programs, but does not otherwise change those programs. This is not very common now.

#3. Trojans - this is the biggest current threat. And there is no real way to remove it 100%, but it CAN be limited (again, look at Ubuntu). This is primarily a social engineering attack. You have to convince the user to run an app or open a message that will exploit a flaw in their email app (and so forth).

So, why aren't we seeing a focus on the biggest security issue?

Why hasn't Microsoft released a bootable CD so you can run the anti-virus/spyware/adware stuff easier? Clean up the junk AND patch the vulnerabilities in Outlook. Even if it means turning off some of the functionality.

If you cannot do it securely, then you should not do it.

Firewalling them is not the same as closing them.

[khasim]

IIRC, it hasn't since XP SP2 as the firewall is enabled by default. Any open ports a users system has since then is because they allowed those connections themselves.

Nope. There are still lots of ports open, it's just that Microsoft put a firewall on the system, too.

The problem still exists. But now there is a wrapper obscuring it that you have to get through. That isn't solving the problem. That's just attempting to hide it.

And exploits have been found for Microsoft's firewall. Which demonstrates the problem with not solving it at the lowest level.

I can put an Ubuntu machine with a default install onto the Internet without any firewall and still be safe from worms.

I cannot do that with WinXP (or Win2K or Win9x or WinNT). If you aren't solving the problem at the lowest level, you're not really solving it. You're just hiding it.

Push for Windows CDs

[astrashe]

The problem is exacerbated by the reluctance of MS and PC vendors to give out Windows CDs that can be used to wipe and reinstall systems. They should build pockets into the sides of cases for the CDs so people don't lose them, and slipstream all the drivers in, and put instructions to boot the restore disk on the CD label itself.

Heck, a 700MB USB flash drive isn't expensive now. They should build read only flash drives with windows into the box, and put an option to run a reinstall in the bios. Solder it in so no one will steal it.

It's the least they could do, considering. I mean, Windows compes preinstalled on almost every PC sold, and there are a zillion pirate copies of Windows floating around on the net, so hardly anyone needs to steal it, and anyone who wants to steal it can. But legitimate users are screwed when they have problems because they don't get CDs, because giving them CDs would encourage piracy. And, I suspect, because it's good for business if people trapped in a monopoly have to buy extra computers to solve this problem.

Not quite....

[Dcnjoe60]

Being proficient with a computer is not optional if you want to own and use a computer. Learn about TCP/IP. Learn about NAT. Learn about not trusting everything. Learn about understanding how things work at least a little bit before you try to run. You don't need to be a security guru, but you can't get by thinking you can just use a computer and never have to learn anything more about it than that.

Ummm, most Mac OS X users don't have to know anything about TCP/IP or NAT, etc. Of course, they have an OS that has security built in at a very low level, not tacked on as an after thought. Windows, at least through XP, is still based on the notion that it wants to make it easy to connect to everything and everyone. As such, it's pretty open and malware takes advantage of that. OS X and the various *nix distros start at the other end of the spectrum where things are locked down unless you open them up (although OS X has more opened up than, say Ubuntu and various other linii).

As others have posted, if Windows shipped with all ports closed except those that were really needed, then the user wouldn't need to worry about all these things. They wouldn't be opening a port until they needed it for some specific application and then that application could explain the dangers, if any to having the port open. It's basically a compromise between ease of use and security. Microsoft chose to maintain it's ease of use model from the pre-internet days, when everything was local and has tried to add security on top. It just doesn't work that well.

So, the real choice is, it seems, that if you want a Windows pc, then you need to learn about TCP/IP, NAT, firewalls, etc. On the otherhand, if you just want to use your computer, either buy a Mac or put a secure Linux, like Ubuntu, on your pc. (I just use Ubuntu as an example, there are others, too)

Re:Well, that's sorta backwards

[denoir]

As a current Vista user I can tell you the following: Microsoft has a high priority of not being blamed for security issues. Their solution is to through the UAC (User Account Control) warn the user before he makes any action that could potentially be harmful to the system. This is just about any action. "WARNING! Operation 'use keyboard' is a high security risk. Press any key to abort." Ok, perhaps not that bad - but nearly. If you are an experienced user, you will turn UAC off after cursing at Microsoft for 15 minutes. If you are an inexperienced user you will just blindly accept the warning - otherwise you can't use your computer normally. In effect the operating system is constantly crying wolf and there is no way in hell an inexperienced user will be able to tell the difference between an irrelevant warning and a relevant one. Vista is also supposed to be much more secure under the hood. I really hope so, because their approach to user based security sucks. The only real point that I can see is avoiding getting sued.