Slashdot Mirror
The NYT on the Proliferation of Botnets
ThinkComp writes "The New York Times has a up a story on the proliferation of botnets. The article cites a number of security researchers who paint a depressing picture of the state of internet security, and concludes with the suggestion that for home users, buying a new 'updated' PC may be the only real solution. Unfortunately, as most of us know, given the number of outstanding flaws in software and the ingenuity of malicious software authors, that might not even help."
Capitol Punishment on national television for owners of botnets. ,but it has to be bareass.
O.K.,O.K. maybe just corporal punishment
*Repent!Quit Your Job!Slack Off!The World Ends Tomorrow and You May Die!
The core of the problem is responsibility, or a lack thereof.
Vendors aren't responsible for the results of the flaws in their programs. Worse, they aren't responsible for deliberate design decisions that make it impossible to secure systems. I make an analogy to automobiles. Auto makers aren't generally liable for defects in cars, unless the source of the defect goes beyond a simple mistake or defective part, but they are responsible for repairing those defects and can be sued if they refuse to do so. And they're liable for design decisions they make. Witness the Ford Pinto. The current state of software liability is akin to Ford claiming that, because they had a valid business reason for building the gas tank on the Pinto the way they did (it was cheaper, thus let them price the car cheaper), they cannot be held liable for the fires that happened as a direct result of their decision. The courts slapped Ford around for making that claim, why are software vendors not treated the same? I can live without strict liability for software flaws, but lack of liability for design decisions that directly lead to security problems is probably the biggest reason we still have problems.
And users aren't held responsible for their use of a computer. They treat it as some sort of plug-and-play device like a television or a radio: plug it in, turn it on and stop thinking about it. A computer isn't an appliance, you can't just ignore it after initial set-up. Again, cars make a good analogy. You can't just ignore a car's maintenance after you buy it, you need to put new tires, new brakes and such on it regularly. And car owners get held liable if they don't. If you wore your brakes out so they don't work anymore and didn't get them serviced, when you rear-end someone because you don't have any brakes you will be held responsible by the courts and the insurance. If you're running on bald tires because you don't think you should have to check and change anything, you're going to get ticketed by the cops at some point for unsafe mechanical condition and the car's registration will get suspended until you fix the problem. Sure it's a hassle and expense to keep maintaining all those things about a car that need maintained, but we don't accept that as an excuse for someone not maintaining them and causing damage or injury to others as a result. So why do we let computer users off the hook when they say "But I don't know anything about computers!".
Software vendors and computer users need to grow up. They've been both acting like spoiled 5-year-olds who were running in the house after being told not to, knocked over the china cabinet and broke everything in it, and now that Mom and Dad are standing there they're whining that they shouldn't have to own up to it and take their punishment. No dice.
Hans Reiser, is that you?
Nope. There are still lots of ports open, it's just that Microsoft put a firewall on the system, too.
The problem still exists. But now there is a wrapper obscuring it that you have to get through. That isn't solving the problem. That's just attempting to hide it.
And exploits have been found for Microsoft's firewall. Which demonstrates the problem with not solving it at the lowest level.
I can put an Ubuntu machine with a default install onto the Internet without any firewall and still be safe from worms.
I cannot do that with WinXP (or Win2K or Win9x or WinNT). If you aren't solving the problem at the lowest level, you're not really solving it. You're just hiding it.
Being proficient with a computer is not optional if you want to own and use a computer. Learn about TCP/IP. Learn about NAT. Learn about not trusting everything. Learn about understanding how things work at least a little bit before you try to run. You don't need to be a security guru, but you can't get by thinking you can just use a computer and never have to learn anything more about it than that.
Ummm, most Mac OS X users don't have to know anything about TCP/IP or NAT, etc. Of course, they have an OS that has security built in at a very low level, not tacked on as an after thought. Windows, at least through XP, is still based on the notion that it wants to make it easy to connect to everything and everyone. As such, it's pretty open and malware takes advantage of that. OS X and the various *nix distros start at the other end of the spectrum where things are locked down unless you open them up (although OS X has more opened up than, say Ubuntu and various other linii).
As others have posted, if Windows shipped with all ports closed except those that were really needed, then the user wouldn't need to worry about all these things. They wouldn't be opening a port until they needed it for some specific application and then that application could explain the dangers, if any to having the port open. It's basically a compromise between ease of use and security. Microsoft chose to maintain it's ease of use model from the pre-internet days, when everything was local and has tried to add security on top. It just doesn't work that well.
So, the real choice is, it seems, that if you want a Windows pc, then you need to learn about TCP/IP, NAT, firewalls, etc. On the otherhand, if you just want to use your computer, either buy a Mac or put a secure Linux, like Ubuntu, on your pc. (I just use Ubuntu as an example, there are others, too)