Slashdot Mirror
Dan Geer On Trusting PCs In Botnets
walk*bound writes "In an essay published by ZDNet, security scientist Dan Geer has an interesting proposal for e-commerce sites to evaluate the trustworthiness of clients that try to connect. Assume that end users either always say 'Yes' or always say 'No' to security dialog boxes. Then make the decision one of two ways: 'When the user connects, ask whether they would like to use your extra special secure connection. If they say "Yes," then you presume that they always say "Yes" and thus they are so likely to be infected that you must not shake hands with them without some latex between you and them. In other words, you should immediately 0wn their machine for the duration of the transaction — by, say, stealing their keyboard away from their OS and attaching it to a special encrypting network stack all of which you make possible by sending a small, use-once rootkit down the wire at login time, just after they say "Yes."'"
for Sony, for one. Yep, can't say enough good things about root-kitting your customers...
The cesspool just got a check and balance.
Where's the Monty Python foot icon? This has to be a joke.
"A week in the lab saves an hour in the library"
BTW, I think this is an interesting essay in the sense that it dares suggest that users are mostly responsible for the security of their computers, not Microsoft. The vast majority of people who have 0wned machines are in that state because they did something they shouldn't have. There's no coding around that, I think. Unless we deny users the right to use their computers... or educate them.
The twitter monologues. Click on my homepage and be amazed.
TTTTTTTTTTTTTTTTTTTTTTTTTT , X ._.-' X / X /_ X
/ O O\ }} \ ,'---'\___\ X
/ \ X
T T
X I Like Ponies!!!111! X
X
X })`-=--. X
X }/
X _.-=-...-'
X {{| , | X
______ X {{\ | \
/ _ \ \ LLLLLLLLLLLLLLLLLLLLLLL
I\____\ \ TT
I I I I\__/ II
\I_I_I/_ _II
\ _ _ _ i IIo
\----- i_IIO
\ LL
Please control the human population, have sex with ponies!
01001000 01100101 01101100 01110000 01100011 01101111 01101110 01110100 01110010 01101111 01101100 01110100 01101000 01100101 01101000 01110101 01101101 01100001 01101110 01110000 01101111 01110000 01110101 01101100 01100001 01110100 01101001 01101111 01101110 00101100 01101000 01100001 01110110 01100101 01110011 01100101 01111000 01110111 01101001 01110100 01101000 01100001 01110000 01101111 01101110 01111001 00100001
The premise is flawed. Just because someone wants extra security doesn't mean they always click yes to questions. Maybe they just want extra security.
A better test would be to popup 'would you like a free ipod'. Having pointed this out, I do have to add: this is a retarded idea.
Not Meta-modding due to apathy.
I thought this was a misquote. I checked TFA, and this is exactly what it says. This guy thinks someone who prefers secure connections is more likely to be pwned.
Write your own Choose Your Own Adventure. http://www.freegameengines.org/gamebook-engine/
Although this would work in a black-and-white world, where you either say "yes" or "no" always, many people would say yes out of fear of not getting what they want from the site they are accessing. Others that read this may be scared (since they presume the site was already secure), and yet others would question the practice. And then come the questions of ethical practices...
mod me off topic if you must, but I for one just cant bring myself to ever trust someone with muttonchops like that.
Yes.
--In Soviet Russia, internet connection owns you!
A dialog pops up asking "do you want to use a secure connection or not" on your internet stock-buying site.
I would assume that any reasonably secure computer user would.... say yes? I mean, I suppose this approach would work if you assumed *everyone* either always said yes or always said no... but what about people who pay attention to what URL they are at (yes, this is *really* the site I want to buy stocks from) and *read* the prompt (yes, I would like to use a secure connection). You've just root-kitted (well, tried to rook-kit(heh, root-kit as a verb)) your most secure and computer-savy users. They aren't going to like it.
If my trusted e-commerce site decided to give me a root-kit or take control of my keyboard/mouse... well they wouldn't be *my* trusted e-commerce site anymore. Now, if you have a security dialog that anyone actually reading *wouldn't* agree to this approach might work, as the *only* ones who agreed would be the ones who automatically say "yes."
So yes, instead of taking a little loss on people who got tricked into buying someone else a stock you should *obviously* try to trick and "0wn" your clients for agreeing to a reasonable proposition ("would you like to use a secure connection with your trusted e-commerce site"). That is *clearly* the best approach.
Does a line appended to your comment give your post meaning in and of itself, or only in relation to those without?
Well, that's new.
Posts like this keep me coming back
Is there anyone else here who read the summary and thought "What the fuck?!"
The game.
From TFA, assume that there are people who always say "yes" and they're the ones who are infected. Well, answering "yes" to a single question doesn't come anywhere near proving that you always say "yes". Also dubious is the assumption that someone who clicks "no" when asked if you want to use a more secure connection wouldn't likely to be infected. Actually, anyone with their brain turned on would smell a rat when presented with this choice and would abort the transaction.
Only a half-flawed premise. You're right in that the variable isn't "yes" or "no". I'd suggest that there is a variable that can be measured, and it's the time delay between display of the warning and user-response.
The guy who clicks "yes" in less than 500 milliseconds + (2 * latency_between_You_and_Client) can be assumed to be pwn3d. He clicks "Yes" to everything.
And the guy who clicks "no" in the same interval is just as likely to be pwn3d. He clicks on everything.
The only secure systems are run by people who take at least 5000 ms (5 seconds) to go "Huh? WTF?" and make a choice. They're the ones who can't be (immediately) assumed to be pwn3d.
If I read such a message and parse it as "WTF? That's not a valid request by any server I understand for the use of a secure protocol! IT'S A TRAP!", and click "No", I'm paranoid enough that I'm not likely to be pwn3d. Similarly, if I read such a message and parse it as "WTF? I have no idea what wrapper he's using around HTTPS, SSH, sftp or whatever, but that's gotta be from some kind of wrapper!", I'm also thinking hard enough that I'm not likely to be pwn3d.
The users that want secure connections are not the ones most likely to be pwned, it's the ones that couldn't care less that you should be worrying about. But really, the real problem here is the extreme laziness of this idea. If you impliment good security policy regardless of who you're connecting to you're better off than treating all of your users like complete idiots because they want a secure connection.
Sigs are too short to say anything truly profound so read the above post instead.
...hundred million botnets, washed up on the shore
Seems I'm not alone in being alone
Hundred million castaways, looking for a home
Ill send an SOS to the world
Ill send an SOS to the world
I hope someone don't get my
I hope someone don't get my
I hope someone don't get my
PC in a botnet, yeah
PC in a botnet, yeah
PC in a botnet, yeah
PC in a botnet, yeah
What if I do the same thing, and I do get different results?
Yes.
What was the question again?
Let's assume I go to this page. Let's assume I do read what's offered to me. So I could use a superspecialawesome security feature. Great. I'm security conscious and yes, I want that security feature.
Let's assume I go to this page. Let's assume I am a trained clickmonkey. So I get a dialog that asks "yes" or "no", and I click yes because I always click yes.
Erh... who'd click no?
What's the demographic of people who would click no there? People who do read security popups but don't want to be secure?
Sounds to me a bit like a scam. Nobody would click no there. So this all smells a bit like "look, we ASKED the customer if he wants to get a rootkit, it ain't like we didn't tell them".
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
You already failed by implicitly accepting the options at face value. If you don't trust a website, how can you trust that a control button labeled "no" will "not do something?"
The only way to be sure is to kill -9 the application. But since windows (at least, XP) doesn't have kill -9, only a weaker {ctrl-alt-delete, send exit signal, wait a bunch, then kill}, you have to cut the power. With the switch, not the button.
Can you be Even More Awesome?!
.. that binary converts to ASCII as such: Helpcontrolthehumanpopulation,havesexwithapony!
...
Well, I'm a geek, I had to know
I have to say (and I know I'm putting my karma in front of the firing squad here), this kdawson guy really knows how to pick em...honestly, it seems that every time an off-topic, ridiculous, or horribly misleading tagline enters the front page, all I need to do is look up from the painful summary paragraph and there is good ol' posted by kdawson, smiling down from above.
You see, all the other rootkits will trust this one, thinking it's one of THEM!!! Then all you have to do is have your rootkit tell them that it can't stay long and would they please let it have this password/account number and they can steal the next.
They'll never even know this was a good guy root kit the whole time!
...oh, sorry, i saw the first post and just automatically clicked "reply".
I for one, welcome our cross-platform-r00tkit-touting benevolent E-commerce overlords.
When you pull your head out of M$ propaganda you will understand what the author is saying. You don't get the joke because you are a victim of double think and believe things that glaringly contradict each other.
The author is responding to hate mail he got for challenging the M$ party line that only idiots get 0wned.
He parodies the party line brilliantly by saying:
and then suggesting that vendors instantly 0wn anyone who says they want a secure connection. This is not a serious suggestion, it simply point out the absurdity of blaming the user for something others so easily and frequently do. Vendors are screwed and he knows it.
The author is also pointing out how insulting it is for M$ to continue to blame the user for M$ security problems. If M$ really believes this, they must also believe that 2/3rd of their customers are idiots who and have VD. Is there any other vendor on the planet that so casually insults their customers?
Amazingly enough, the general population still believes the M$ party line. I had this argument with a co-worker the other day. He so strongly believed that it's the user's fault that he could not accept estimates by Vint Cerf or Michael Dell as accurate. Stories of corporate network dissaster are similarly dissmissed as the fault of idiots at work. More amazing than the man's inability to take in new information was the temper tantrum he threw when calmly questioned and confronted with facts. M$'s own estimates will also bounce off his otherwise bright head because it would force him to conclude that there's either a 2/3rd chance that he's an idiot or worse - he's been wrong headed and vocal for years, which is the definition of an idiot. How does M$ build such loyalty while being so abusive? Windoze security is a oxymoron and it's time the public at large understood that.
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
I think the dialog box should say, "Would it be alright to install a root-kit on your machine?".
The ones who say "Yes" to that are justifiably pwned. Everyone else is reasonably trusted and left alone. It's a good filter!
licet differant, aequabitur
The point is that if someone is willing to run malware once then they're most likely already infected and part of a botnet.
The point is that it's not the user's fault because it's trivial for web site operators to 0wn user machines. When M$ themselves estimate 2/3 of all machines are compromised, no rational person can continue to blame the user.
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
"Are you an Idiot?"
No self respecting intelligent person would say yes to that. Otherwise, they just haven't bothered reading the question, and by default are yes pushers....
Science advances one funeral at a time- Max Planck
This guy thinks someone who prefers secure connections is more likely to be pwned.
No, he thinks that blaming the user is a joke when even M$ admits 2/3s of their customers are 0wned. It's a joke. Do you really think he's suggesting vendors screw all the customers who say they want a secure connection? If so, you admit it's trivial and that it's not the user's fault. The joke is on people who wrote him hate mail for stating the obvious: Windoze is a security dissaster and large percentages, if not all of them, are part of key logging botnets. Only they will take the article's suggestion seriously.
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
Although as stated in the summary (I didn't RTFA but from the comments it seems the summary accurately describes the proposed idea) the idea seems pretty flawed. However this might not be too bad of an idea in principle. Rather than asking if they want more security however, post a question saying "May we infect your computer, delete all your files, rape your children, etc..." then if the user clicks yes we know what kind of user we are dealing with and refuse service outright. As someone above pointed out if you are going to do business you should already be doing it in the most secure way possible, or at least the most reasonable. If you can't at least assume there is not a keylogger etc on the client computer without at least some level of confidence then you shouldn't be interacting with them for any sort of business transaction.
For sites that don't want to pose a question quite so obvious and thus scare away potential "good/safe" customers who think the site has just been hacked, you could ask a series of 2 or 3 more mundane questions and time the responses. If this is to be done though the odds of "yes" being the right answer should be 50/50. I'm not sure exactly what questions to use but it would be a simple enough matter to come up with a list of 10 or so and then randomly pick a few to give to the user.
-Buck
Since we're discussing ways to make online shopping safer ...
Instead of giving your credit card into to a store (when your bank already has it), have the store generate a random string. Copy that string to your bank's website (where you have logged in) and your bank will pay the store for that item(s) in the shopping cart identified by that string.
There. Your credit card info NEVER crosses the wire.
And the bank can keep records of which stores/accounts have complaints and give you some stats. Kind of like eBay's rating system.
That store has a 99%+ positive rating with 1,532 transactions in the past month (1,926,872 total transactions).
vs
That store has a 25% positive rating with 4 transactions in the past month (4 total transactions).
Sorry, I refuse to take security advice from a man with wispy mutton chops. He's clearly a villain from a Victorian novel trying to trick us into some clever world domination scheme.
I don't understand it to be honest... although most of the sentences seem to make sense individually, I don't really follow the logic. For a start it all seems to be based on the flawed assumption that users always make the same response to all dialog boxes. Why would one assume this? Even a complete idiot might select either option randomly, or mash their fist on the keyboard with the same effect. It's even possible that some highly advanced users might read the information and act on it accordingly!
Anyway, assuming that ridiculous assumption is correct, the author then makes another ridiculous assumption, that if you always say yes to dialog boxes, that means your computer is infected with all kinds of malware. They then decide it would be a good idea to root kit this PC and encrypt network traffic to it. I'm not quite sure what the point of this is either since the machine would have to decrypt the traffic for it to be any use, so any malware present on the machine could still have access to the traffic. I think they could be saying that the point of this is to protect their host machine from your horrible horrible malware. To be honest if a web host is so vulnerable that malware infected clients visiting it cause them to catch it to like some kind of electronic herpes, you have even bigger problems to worry about than the inevitable lawsuits from arbitrarily rootkitting your client's PCs.
In short, it's a long time since I've read such complete nonsense, even given Slashdot's normal submission quality. If anyone managed to follow the article's logic, perhaps you could explain it to me, and possibly also tell me which parallel universe you're from so I can cross it off my holiday list.
But they didn't ask if you wanted a rootkit -- they asked if you wanted a secure connection!
(And getting a secure connection is quite opposite to getting a rootkit.)
The idea isn't "stupid" or "retarded".
IT DOESN'T MAKE SENSE!
As someone else implied, he's right that bots will click yes (I suppose). But the problem is *everyone* clicks yes to *that* question, or at least *most real users* do, too!
A better test, as someone else suggested, would be to ask that question until the user clicks cancel, and only a bot would click yes more than 10 times.
An *even better* test (one that makes a little sense) would be to put up a question that no rational user would click yes to. (E.g. "Would you like to be INFECTED with a rootkit." -- you've got to caps the infected, because rootkit might sound appealing, like root beer.)
And the best solution, as previously mentioned, was to practice safe security with all your users. Get some "latex" between you and all users.
I have no idea why this was posted. Or, maybe I do: because it's so stupid it's interesting that some "professional" would say it.
Just goes to show: "professional" just means you conned someone into paying you -- it doesn't mean you know anything more than an "amateur".
So when a website asks me if I would like to be redirected to the https version of their site, I should click...no?
WTF?
"Live as if you'll die tomorrow." Ridiculous. You could die later today.
And after 3 questions, the user leaves the site...
I always click "yes" to secure transactions at URLs that I trust. If I went to a financial institution that said, "do you really want a secure connection?" I would of course say yes, its my bank for goodness sake. I then get A Root Kit installed and my keyboard tapped. What kind of fucked up shit is that?. In a good mood I would cancel my account and move. In a bad move I would be calling my lawyer.
Really, why should the test be the user's reply to a question? If you can install your rootkit on the users machine simply because they've visited your website, and you believe your users visit websites that are not yours, other sites can and probably have installed their rootkits. So what you should really do is quietly test to see if you can install your super secure rootkit, and, if so, do it. If you can't install it, they're probably safe to do business with.
Seriously, using user behavior to assess security risk isn't a dumb idea. But the way this essay frames it is just silly. With the number of assumptions he's made (about user behavior, having a super "rootkit" that can defeat all others, etc.) he might as well go the whole nine and just own everyone he can.
.sig: file not found
Yeah, I had considered that but when I go to my bank it asks me for my account ID, loads a new page, asks me one of several questions I programmed answers into upon setting up the account, loads a page, then asks me for my password, and finally lets me in. If this kind of nonsense is deemed acceptable then I think a couple of questions is not too much to ask. Besides, you would really only need to ask one string of questions per user as once you deemed them intelligent enough to read something before clicking yes you know that person is "safe" and can refrain from bothering them in the future.
-Buck
Bots aren't stupid. More correctly, bots are as smart as the people making them.
This whole thing sounds like yet another snakeoil, promising to solve the phishing problem once and for all. Here's a secret: There will never be something like that. Never ever. As soon as you implement something like that, the bot writers will implement something that "reads" the message and react to it. You create one that has a billion questions? They will implement something that is sophisticated enough to parse it. Make it harder to read? Then some of your lesser smart humans will fall for it, too.
Face it. You can create a rootkit that is as smart as the average dumb clickmonkey.
Professional can mean more than just conning someone into paying you. In this case, it seems not to be the case.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
So I click "no I don't want an extra secure connection" to prove I'm not infected?
If I (as a normal user for a change) see a popup like the one described, then even if I click "Yes" I'm not authorizing anyone to install anything on my computer. I'll be assuming something like an HTTPS cpnnection like my bank uses.
If the install of such a root-kit (or any other software) happens anyway, this is a case of unauthorized tresspass / cracking. At least where I live, there is a law against it (NL - it's called "Computervredebreuk"). In fact, because you appropriate data processing capacity (the keyboard), you qualify for the higher punishment.
"There's no coding around that, I think. Unless we deny users the right to use their computers... or educate them."
I claim there's a lot more that can be done:
https://bugs.launchpad.net/ubuntu/+bug/156693
It's not easy but it can be done.
In contrast expecting users to solve a version of the halting problem ("will running this program pwn my PC") is bad design and unreasonable.
Winning a Frosty Piss Contest? Like winning a special Olympics race - still retarded.
how does that relate to the number of computers used to browse free pr0n on the internet ? just curious
In the past (I don't know about present day), all internet banking in South Korea was ActiveX based, as well as numerous government sites. Yes, it did require the whole country to run Internet Explorer, but was done because ActiveX was deemed a more secure alternative. I don't understand all the technical reasons, but I do know that South Korea has some very savvy IT guys, so I wouldn't dismiss their concept out of hand.
Your ad here. Ask me how!
The best response is to cancel the transaction. The question about using an extra secure connection is unexpected. Either software would be set up for the special connection when you first set up an account, or some big announcement would be made on the website - it's highly unlikely a site would choose to surprise users in such a way. That fact that the author would think any choice he presented is valid shows that he is likely to fall victim to getting his own system rooted (at least, according to his own logic), since this transaction should just be terminated.
If only I had modpoints right now...
TFA is idiotic as others have posted, also it neglects a potential arms race with other rootkits.
However the idea of taking over the user's hardware, is not bad, though the way it is presented is awful. I really don't like the approach to assuming stupidity (sure it appeals to a sysadmin maybe) or the idea of breaking in unlawfully.
After all if you totally took over the machine, there would be no rootkits or other insane plugins. Here are a couple ideas to think about.
1. A new kind of, hardware manufacturer supported, signed minimal clean OS with verified signed apps. The forerunner of this is the instant-on SplashTop linux os for ASUS by DeviceVM, Phoenix Technologies' Hyperspace, etc. This is really grabbing the hardware using tools built into the hardware. Could be nasty if it allows being taken over by a cracker but possibly could guarantee a dumb but safe commerce terminal.
2. Launching a virtualized machine, perhaps using virtualization hooks in new cpus, which is similarly minimal and signed. It would seem this could be vulnerable depending on degree of memory protection and security of the kernel or hypervisor or whatever is running it. So this is a mostly software solution
In both cases (especially in the first one), the rightful owner of the hardware is given superior power over the hardware that a cracker does not have. For the first one, especially if you are going from a cold power up and you base the minimized system and apps all on a cryptogaphically safe ensured stack, or otherwise use resources not available to the Windows OS normally, you basically have a separate computer - safer than Vista - guaranteed by a trusted vendor. Applications could come from the trusted vendor too perhaps.
If you think about it you really don't need more computing ability than an old Apple ][ or a standalone kiosk teller machine has, except for the crypto. It seems possible to simulate this for significant transactions, contract signing, and so on. I could see a separate colored power button that will use hardware resources that are completely separated from Windows and the morass of unsafe architecture and virulent bots. Possibly this separate OS could be used for setting passwords that could be read from Windows, and for storing confidential documents.
Maybe you could partition the disk from there to assign a certain amount of space for work that is only accessible from the safe OS side, or set folders in the Windows partition that cannot be read or written except from a virtual PC like instance that has been checked by the safe OS. This approach would give the machine's owner a safe island where he knows he is alone and which only communicates over encrypted virtual private network paths to other safe island nodes.
This idea is incredibly stupid.
Let's assume that the author is right, and that people clicking "yes" for an "extra-special secure" connection really are the ones who click yes everywhere, and thus have infected machines. And that people clicking "no" for an "extra-special secure" connection really have clean machines. This assumption is already stupid, because there are more ways to get infected than by clicking "yes" (e.g. a no-clicker could have been infected via some buffer overflow or by some other means). But even if all of this is true, it still doesn't work *at all*:
Being able to "take over" the client's keyboard means that the OS presumably offers this functionality to a website which (I assume) has to provide some kind of credentials (e.g. some special SSL certificate). Let's also assume that this system really works and is unhackable. (Not very likely, but whatever).
There are two types of clients:
a) The clean ones. Here there is no problem, no matter whether you use the "extra-special secure" rootkit or not.
b) The infected ones. These are the ones we're interested in. What happens is the following:
1. User connects to a website using his or her browser
2. The website requests to take over the keyboard somehow. Could be a special HTTP header, a new HTML tag, javascript, whatever.
3. The browser asks whether the client wants to allow that. Now several things can happen:
4a. The software on the infected client says "no". Maybe it even hides the dialog box. The user won't even notice. You lose.
4b. The user clicks "no". You lose.
4c. The user clicks "yes", the hacked software really says no. The website thinks the user said no and might even display that to the user. The user won't notice/care/understand. You lose.
4d. The user clicks "yes", the hacked software emulates the client-side of the extra-special secure functionality. The website thinks all is good, the user thinks all is good, and the hacked software happily logs your keystrokes. You lose.
4e. The user clicks "yes" and it really works. You win.
Now, what do you think is going to happen?
Many of the people I work with just "x" out the message no matter what it is. Everyday I watch these people x the message for "do you want to turn autocomplete on?" or "you're about to submit information over the internet. continue?" when these boxes have the don't bug me box right there. This behavior drives me nuts. no wonder they can't figure out how to configure a wireless connection, they don't even read the damn screen. If you really want someone to read your message you've got to change the way the button looks. Don't switch them around.
Oh Crap, I'm an optimist.....
If the client is compromised then NO-ONE knows if the user clicked anything at all!!
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
They could simply word the dialog "Do you answer Yes to all security dialogs?". Those who answer Yes are given a message that their system is not secure enough for the transaction, with a link to solving "common problems". One of the "common problems" would be "Answering Yes to all security dialogs".
It is dangerous to be right when the government is wrong.
If the user responds "yes" to "Do you want to be f***ed in the ass?" then...
I like Whoreses too perhaps we could meet up.
My bank in the UK (Barclays) recently started using a new system for logging in to online banking. Basically they've sent everyone who uses online banking a card reader that uses the smart chip on your bank card to generate a one-time hash when supplied with your ATM PIN. The reader is not physically connected to the computer, so the user must type the hash into a form on the web page. This process is used both for logging in and for setting up funds transfers.
When you set up a funds transfer you are required to tell the device a few more pieces of information that identify the transaction, which are then included in the hash.
There has been some talk about later integrating this into the "Verified By VISA" thing that some sites are now supporting, where you get sent off to your bank's site and asked to log in when making a purchase. They've not done this yet, though, because the scheme is currently only on trial rather than being deployed to everyone.
...overlook the obvious case that most people just want the functionality a website offers, and hence will accept installations and such to obtain it. Most people really do not understand what is at risk when installing something from a third party, but then again, most really do not care. If at the end of the day they end up getting screwed, they'll call a lawyer.
Maybe instead of chronically pointing to the stupid lusers, we in the IT industry should shoulder the blame for the apathy out there concerning computer security. Should we really expect everyone to have to run a 5 stage security check on every "piece of shiet" website someone interacts with?
What have we in IT provided the users to diminish the need for everyone having to become a security expert?
Opinion:=TMyOpinion.Create(Me);
What I'd like to see is an essay on ladies who always say "Yes" and more importantly, where to find them...
A few of the commentators on \. have managed to translate the editorial into a proposal that actually might make some sense, but reading it as written, the proposal is the worst, most idiotic analysis I've heard today.
http://www.geoffreylandis.com
proposal I have seen since that "Irish, eat your children" thing.
The security problem shouldn't be solved by requiring every computer user to become a security expert.
A security system that people would actually use should require giving users just enough information for it to work, instead of overwhelming them. Surely IT professionals are intelligent enough to develop such a system. Or aren't they?
Singularity: a belief in the "God" idea with the "demiurge" relation inverted.
My company just bought some silly "VPN" ActiveX control suite for remote access--it somehow takes over your network stack and does something to only allow connections into the company's network from your computer, "for security". (My colleague said something about changing MTUs, but I think that's only part of it.)
So this already exists.
Of course, it doesn't work with GNU/Linux, so I just kinda chuckled and went back to using the dedicated terminal server.
What I think is hilarious is that a worm-infected machine can still access the internal network for purposes of spreading infection.
As explained here, the 66% number is from M$. Vint Cerf and Michael Dell say 20 to 40%.
Sooner or later the consensus opinion will match my estimate of 100%. Articles like this one are a good sign of that. Windoze is a booby trap and anyone who uses it long enough will get nailed, even the "smart users" who never click on anything and hide behind "firewalls" that are actually embedded gnu/linux.
I guess it's late and I'm not thinking straight.
No, you know exactly what you are doing but it's not working.
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
Before you begin rootkitting your customers, ask yourself: should I really entrust my company's security architecture to Charles Darwin?
For example, if botnets are clogging up the intarwebs (or BitTorrent, or whatever), as an ISP, I'd do one of two things: Either instantly block access to people you're detecting botnet traffic from, and explain the problem to them over the phone, or start charging people a flat rate per amount of bandwidth used, and log it -- either they'll be stung when they see what's eating their Internet bill, or they'll not care and pay absurdly high Internet bills, thus funding your new infrastructure to support them.
In other words, make it painful enough for them not to be educated, and/or pleasant enough for you to deal with uneducated people.
Don't thank God, thank a doctor!
At least I didn't get Gilligan and the Professor in the mix.
Please, his professional name these days is "and the rest"...Bow-ties are cool.
The author does not like getting hate mail for violating the M$ party line. His response was to parody M$ double think.. It only causes distress in people who take M$ security seriously in the first place.
Things are a lot easier when you quit blaming the user and prescribing crazy rules of safety and simply move to an OS without the same kind of problems. The sooner people do this the sooner botnets will die.
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
The article is a joke that makes fun of M$'s insulting "blame the user" attitude.
The willyhill account was made to harass BRLUG member Will Hill and Slashdot members Erris and Twitter. While I'd never censor the drivel offered by this troll, you can depend on none of it being true. As in the case of other imposters, I recommend that this post or similar disclaimer be willyhill's homepage. It's obvious that he's not the author of the page he points to currently.
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
Instead of, if the user clicks 'Yes' assume they always click 'Yes', are insecure, and require additional security to connect; or if the user clicks 'No' assume they don't care about security, are insecure, and require additional security to connect; the logic should be, if the user clicks 'Yes' assume they always click 'Yes' and the follow-up question should be, do you want to get together Friday night? And if the user clicks 'No' assume they always click 'No' and the follow-up question should be, do you have plans for Friday night?
I got the impression from TFA that it wasn't aimed at bots, but rather at users who are, possibly, less intelligent than the bots. I know a large number of people who download "Free Smiley Pack!1!!"s, and whose computers I would not want to deal with. I do agree that the question is stupid, though. If you asked a better question, like "Do you wnat(sic) to install CompanyName(tm) HyperSecuritifier(tm) to enhance your browsing experience?" then any user who installs it can be considered a major hazard and can be patronized considerably more with security measures. If they do not install it, they might be more trustworthy, although it's really anyone's guess.
Actually, except if you'd actually like to format the computer, either choice is correct.
Proof:
Let's just look at the specific definitions of Yes and No. We'll assume "Yes" being a positive response, i.e. formatting the computer and "No" being a negative response, i.e. not formatting the computer.
First definition: Yes means No; in this we redefine Yes to being a negative response: Yes := No. (1) := Yes := No => No = No (2)
Second definition: No means Yes; in this we define No to being the Yes we already defined in (1): No
Therefore with our initial definition defining "Yes" as the positive response and "No" as the negative response, "Yes = No" (1) and "No = No) (2), we can clearly conclude our assumption being either choosing "Yes" or "No" is a negative response is correct.
q.e.d.
welcome our new rootkit overlords!
It's not my fault that you can't get your sockpuppets and trolls straightened up.
The twitter monologues. Click on my homepage and be amazed.
I sure as hell didn't write that.
You might not be responsible for that thread, but your are responsible for representing yourself as someone else and part of a harassment campaign against people who say things you or your employer don't like to hear. If you are doing it for yourself, you're an asshole. If you are doing for money, you are a whore. Either way, you're scum and should not be be trusted.
By the way, it's not working. Slashdot is still an entertaining and informative place, even for people like me.
You should do something better for a living like dishwashing. It pays better and would put you in touch with nicer people than your current employers and associates.
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
I think twitter just hung himself out to dry by posting this, because it confirms what everyone already knows.
No, it confirms that I'm either a BRLUG lurker or know how to use Google which is precisely nothing. Thanks for playing, have a nice day.
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
actually, i don't believe you could have expressed your sentiments in any more of an appropriate manner than you have already done so. now, while i don't hate niggers(in fact, i hate all humans, but hey, i'm misanthropic, which makes me an equal opportunity hater), i believe i can help you out on why you hate niggers.(to those of you who find the term nigger offensive, i apologize. i find it to be just as disgusting as you but i'm trying to help an unfortunate soul in language he can understand).
you hate niggers because you have low self-esteem. displacing your anger/disappointment at/in yourself on another person or group of people gives you a good feeling and someone to blame for your own shortcomings. as well, it's more than likely you understand very little of others' cultures(regardless of race, as i'd almost be willing to bet you don't just hate niggers, but "jews, spics, and chinks" as well), and, as so often happens with human beings, instead of trying to understand, it is much easier to lash out at it with hatred and mockery. humans, like any other animal, will lash out when they are frightened by something they don't understand.
no, i'd say the niggers aren't the problem. i'd say the bigger problem is with you. the nigger you hate is the nigger inside of you. and because of your narrow-mindedness and unwillingness to learn about that which you don't understand, that nigger will always be inside of you.
amituofo
I'll get the popcorn ready.
Web2.0: I love when people Flickr my cuil and digg my boingboing until my google is reddit and I start to yahoo
Unintentional hilarity is always the best.