Dan Geer On Trusting PCs In Botnets

walk*bound writes "In an essay published by ZDNet, security scientist Dan Geer has an interesting proposal for e-commerce sites to evaluate the trustworthiness of clients that try to connect. Assume that end users either always say 'Yes' or always say 'No' to security dialog boxes. Then make the decision one of two ways: 'When the user connects, ask whether they would like to use your extra special secure connection. If they say "Yes," then you presume that they always say "Yes" and thus they are so likely to be infected that you must not shake hands with them without some latex between you and them. In other words, you should immediately 0wn their machine for the duration of the transaction — by, say, stealing their keyboard away from their OS and attaching it to a special encrypting network stack all of which you make possible by sending a small, use-once rootkit down the wire at login time, just after they say "Yes."'"

The Slashdot Experience

[Blackheim]

Posts like this keep me coming back

Woke up this morning, don't believe what I saw

[greenguy]

...hundred million botnets, washed up on the shore
Seems I'm not alone in being alone
Hundred million castaways, looking for a home

Ill send an SOS to the world
Ill send an SOS to the world
I hope someone don't get my
I hope someone don't get my
I hope someone don't get my
PC in a botnet, yeah
PC in a botnet, yeah
PC in a botnet, yeah
PC in a botnet, yeah

Re:Flawed premise.

What if I download a Windows firewall update that Microsoft claims is more secure than the old version? Am I an idiot? Yes, at that point you are an idiot.

(Posted from a Windows system, by an idiot.)

Re:That worked so well

[joto]

That question is almost as bad as the infamous: Yes means No and No means Yes. Format computer now, Yes/No?

Can I choose ^C ?

Yes

(assuming that "Yes means No and No means Yes" is still in effect).