Dan Geer On Trusting PCs In Botnets

← Back to Stories (view on slashdot.org)

Dan Geer On Trusting PCs In Botnets

Posted by kdawson on Tuesday November 20, 2007 @04:48PM from the as-far-as-i-can-throw-you dept.

walk*bound writes "In an essay published by ZDNet, security scientist Dan Geer has an interesting proposal for e-commerce sites to evaluate the trustworthiness of clients that try to connect. Assume that end users either always say 'Yes' or always say 'No' to security dialog boxes. Then make the decision one of two ways: 'When the user connects, ask whether they would like to use your extra special secure connection. If they say "Yes," then you presume that they always say "Yes" and thus they are so likely to be infected that you must not shake hands with them without some latex between you and them. In other words, you should immediately 0wn their machine for the duration of the transaction — by, say, stealing their keyboard away from their OS and attaching it to a special encrypting network stack all of which you make possible by sending a small, use-once rootkit down the wire at login time, just after they say "Yes."'"

31 of 301 comments (clear)

Min score:

Reason:

Sort:

That worked so well by Gr8Apes · 2007-11-20 16:51 · Score: 5, Insightful

for Sony, for one. Yep, can't say enough good things about root-kitting your customers...

--
The cesspool just got a check and balance.
1. Re:That worked so well by Holmwood · 2007-11-20 18:02 · Score: 4, Insightful
  
  Assume for a moment that a benevolent business point blank asks their customer, "Do you mind if we root-kit your computer for additional security?" If the customer agrees, they either trust the company or don't know what they're doing.
  
  Actually, if I "agree" (i.e., say yes), it means I *do* mind being root-kitted. If the company then proceeds to root-kit my machine, they are definitely opening themselves up for a lawsuit.
  
  That question is almost as bad as the infamous:
  Yes means No and No means Yes. Format computer now, Yes/No?
  
  But really, this error reinforces some of the disturbing aspects of the original question as cited. Users who answer "Yes" to using a more secure question may be idiots who always click yes; they may be knowledgeable users who expect something like SSL. They are unlikely to be sophisticated users that expect to be root-kitted.
  
  I certainly agree with parent about the dangers of assuming benevolence -- from corporations, or governments.
  
  Holmwood
2. Re:That worked so well by Brian+Gordon · 2007-11-20 19:09 · Score: 3, Insightful
  
  Not penalizing. Although the author's grasp of English is dubious, I think he's saying to present the user with a "Install this ActiveX control"/plugin popup. If the person accepts it, then they're an idiot and the plugin battens down the OS for the duration of the transaction so that all the other spyware can't get at it. If they decline it, the transaction continues anyway because they have the security sense to turn down a random plugin.
3. Re:That worked so well by Yetihehe · 2007-11-20 19:56 · Score: 2, Insightful
  
  That question is almost as bad as the infamous: Yes means No and No means Yes. Format computer now, Yes/No?
  Can I choose ^C ?
  
  --
  Extreme Programming - Redundant Array of Inexpensive Developers
4. Re:That worked so well by mtgarden · 2007-11-21 00:27 · Score: 3, Insightful
  
  That was the point I made at ZDnet. If the company asked me if I could be root-kitted, I would say no. If they asked me if they could enable a more secure transaction, I would probably say yes. My assumption would be that the company would now require tougher passwords etc... and give me some sort of perk for being extra safety conscious. So the assumption that I would select yes, because I am dumb and always click yes, is retarded. I only click yes when I trust the source (I assume a reputable business to be trustworthy). And no, Sony is not reputable so don't ask. I operate under paranoia. That's kept me virus free to date.
5. Re:That worked so well by Lobster+Quadrille · 2007-11-21 02:28 · Score: 2, Insightful
  
  In related news, you can improve security on your computer by installing my super-special-anti-hacker plugin.
  
  If you've already been rooted, there's no plugin you can use to improve security...
  
  --
  "The cup is in turn designed for holding hot or cold liquids, and has an open rim and closed base." --US Patent #5425497
WTF by Zouden · 2007-11-20 16:52 · Score: 5, Insightful

Where's the Monty Python foot icon? This has to be a joke.

--
"A week in the lab saves an hour in the library"
Numbers by willyhill · 2007-11-20 16:58 · Score: 5, Insightful

My guess is that the number of people who would say "No" is directly proportional to the number of PCs that are not infected.
BTW, I think this is an interesting essay in the sense that it dares suggest that users are mostly responsible for the security of their computers, not Microsoft. The vast majority of people who have 0wned machines are in that state because they did something they shouldn't have. There's no coding around that, I think. Unless we deny users the right to use their computers... or educate them.

--
The twitter monologues. Click on my homepage and be amazed.
1. Re:Numbers by thegrassyknowl · 2007-11-20 17:42 · Score: 4, Insightful
  
  Unless we deny users the right to use their computers... or educate them.
  
  You can't educate most of them. They don't want to learn. It's unfortunate but it's the truth. Laypeople think that "firewall" and "anti virus" is all they need to keep them safe from nasty people. I have the unfortunate task of dealing with people like that on a daily basis (many ask why I'm so jaded) and they don't care what the real experts say.
  If you tell average Joe that he shouldn't do something that he wants to because it's a bad idea and then Joe's "expert" mate says "nah man you've got firewall and AV installed you'll be right" he'll ignore you. He will listen to the "expert" mate of theirs that installed Windows once or twice using the restore disk that came with their shiny Dull PC and now thinks they know everything because the "expert" doesn't get in their way of doing stupid things.
  The number of users who click 'yes' and 'no' will be split 50/50, depending on the question. I don't think it's possible to predict what people are going to click because it all depends on the type of message and the wording.
  A lot of people always click allow or always click block when ZoneAlarm pops up a warning. They'll always click "Allow" when Windows pops up and says that they are trying to install an unsigned program. They have seen that type of dialog before and kind of know what to expect when they make their usual response.
  Random Internet questions are different because people aren't expecting them to be there. There is no preconceived notion of how to respond to the random question other than to read it and work out what it's trying to say.
  
  --
  I drink to make other people interesting!
2. Re:Numbers by johnny+boy · 2007-11-20 19:50 · Score: 3, Insightful
  
  Except when the OS tells someone, by icon and name, that they are clicking on an image, then it shouldn't install a program instead. Hiding extensions and allowing programs to masquerade as benign files is an interface issue. There is no reason Microsoft can't design the interface to ensure that EXE icons have a special signifier indicating the nature of using the icon (Linux might improve here too).
  
  Hiding the extensions by default might make the interface seem less cluttered, but it definitely creates creates confusion when you have a file actually named safe.jpg.exe and you see safe.jpg.
  
  Then there are just the plain dumb stuff that's other people's faults like programs that crash on malformed input.
3. Re:Numbers by mcrbids · 2007-11-20 20:29 · Score: 4, Insightful
  
  The vast majority of people who have 0wned machines are in that state because they did something they shouldn't have. There's no coding around that, I think. Unless we deny users the right to use their computers... or educate them.
  
  BBBBBZZZZZZZZZZZZZZZZZZZZZTTTTT!!!!
  
  Sorry, Charlie. You got this one wrong!
  
  True or false: Some places are more secure places to keep your money.
  
  True or false: Some cars are safer during a crash than others.
  
  True or false: Some airports are safer/more efficient than others.
  
  Now for the kicker:
  
  True or false: Some software is more secure/better designed than others.
  
  The truth is that my wonderful Mother in Law had her computer infected by merely clicking the subject line of an email on her otherwise patched computer with antivirus and a hardware firewall on a DSL connection. What did she do that she shouldn't have?
  
  People sometimes do stupid things, and even reasonable things in cars and get into accidents. But even so, a car that's well designed will protects its occupants better, and frequently makes the difference between injury and death. You get into an auto accident on the freeway, which would YOU rather be in: A Yugo or a Mercedes? I know which one I'D pick...
  
  People *do* make mistakes, and they *do* things that are stupid. If using a computer requires perfect behavior in order to work, then they won't work.
  
  --
  I have no problem with your religion until you decide it's reason to deprive others of the truth.
4. Re:Numbers by joto · 2007-11-20 21:43 · Score: 3, Insightful
  
  Some people Are just too stupid to own computers
  
  No. They might be to stupid to operate a computer, or to stupid to operate a computer connected to Internet without getting infected in less than 30 seconds. But I believe even most primates are intelligent enough to own one. What that requires, is simply an understanding of private property.
  I have given up trying to educate some friends of friends who need their computers fixed again.
  
  Why were you trying to educate them in the first place? Did they ask you to educate them? Did they seem particulary interested in Internet security? Or was there some other reason that focused more on your needs than theirs?
  What you should do is to stop fixing friends (of friends) computers for free. If they have to pay (not necessarily you) for support, they will learn about Internet security by necessity.
  I have a friend who is a cook, and I don't expect him to cook me free food (if he always did, I would never learn to cook). Nor do I expect my friend who is a debt-collector, to collect debt for me either.
  The reason idiots ask you to fix their computer, is (a) because you actually do it, and (b) because you always says yes, they assume you enjoy it. If you say no, they will (a) respect that, and (b) not stop being friends with you. Unless they are psychopaths, in which case you are better off anyway.
Flawed premise. by TeraCo · 2007-11-20 16:59 · Score: 5, Insightful

The premise is flawed. Just because someone wants extra security doesn't mean they always click yes to questions. Maybe they just want extra security.

A better test would be to popup 'would you like a free ipod'. Having pointed this out, I do have to add: this is a retarded idea.

--
Not Meta-modding due to apathy.
1. Re:Flawed premise. by TeraCo · 2007-11-20 17:06 · Score: 5, Insightful
  
  If a reputable site is offering me 'extra security' and I accept it, that doesn't demonstrate anything about my willingness to accept malware. It just shows that I trust that reputable site.
  
  --
  Not Meta-modding due to apathy.
2. Re:Flawed premise. by TeraCo · 2007-11-20 17:21 · Score: 4, Insightful
  
  You trust a site.. on the internet. You are an idiot.
  How is that tinfoil hat treating you? People quite a bit cleverer than either of us have gone to a lot of trouble to address 'trust' issues in on the internet.
  By the by, when you patch your OS you're trusting a site on the internet. I hope I haven't shocked you.
  
  --
  Not Meta-modding due to apathy.
3. Re:Flawed premise. by omeomi · 2007-11-20 17:22 · Score: 4, Insightful
  
  If you download and run an executable that *any* website offers you on the Internet, to provide you with "more security", then you're an idiot. Oh, and if you think otherwise you're an idiot too.
  
  Linux is often viewed as more secure than Windows...If I download a Linux distro, am I an idiot? Same goes for Firefox. The second bullet point on the Firefox web page is "Stay Secure on the Web". What if I download a Windows firewall update that Microsoft claims is more secure than the old version? Am I an idiot?
  
  --
  ZuluPad, the wiki notepad on crack
4. Re:Flawed premise. by Anonymous Coward · 2007-11-20 17:32 · Score: 2, Insightful
  
  But then, I have a client, a medical practice, no less, (can you say HIPAA?) and within a month of setting up their reasonably secure --no user is an administrator on the local machine-- network, they are complaining that this or that continuing education site wants to install a proprietary player to deliver an online lecture and they are prevented because they don't have administrator privileges...
  
  They are small enough that having an IT guy full time isn't an option, and self-important enough that waiting a day for someone to install the player is not an option, so pretty much the only way to deal with this is to elevate privileges for the user...
  
  How long will it be before they are owned by malware? I give it 6 months.
  
  My point is that ordinary users just wanna have their 'user experience' and they really don't know or care about the implications. Unfortunately, content providers assume personal control/admin privilege of the host, and the losers are small businesses that care about security.
5. Re:Flawed premise. by Odiumjunkie · 2007-11-20 17:32 · Score: 4, Insightful
  
  > Having pointed this out, I do have to add: this is a retarded idea.
  
  Not only is it stupid, I imagine that it would be very hard to implement.
  
  Who wants to volounteer to code a "use-once rootkit" that provides a "special encrypting network stack" that guarentees secure communication on a machine that you believe is compromised with x brand of malware and y number of existing rootkits? How are you going to make it so secure than malware writers can't subvert it for their own purposes?
  
  The idea presented is bafflingly stupid, but the idea behind it is not: different security models for users based on behaviour patterns.
  
  If someone uses a six character dictionary-word password (you could check once before hashing and store the result), or fails to uncheck the "receive offers from our partners" checkbox when entering their e-mail address, then perhaps they're not terribly savvy computer users and it would be an idea to throw a few more CAPTCHAS at them each time they log in, or more closely monitor their account for suspicious activity.
6. Re:Flawed premise. by a_nonamiss · 2007-11-20 17:54 · Score: 2, Insightful
  
  You trust a site.. on the internet. You are an idiot. ::Sigh:: So I suppose you never do anything useful on the Internet? Why not just unplug your modem/Ethernet cable? It would save you from having your PC compromised, and it would save the rest of us from your logic.
  
  --
  -Arthur
  Cave ne ante ullas catapultas ambules
Wait a second.... by PieSquared · 2007-11-20 17:03 · Score: 4, Insightful

A dialog pops up asking "do you want to use a secure connection or not" on your internet stock-buying site.

I would assume that any reasonably secure computer user would.... say yes? I mean, I suppose this approach would work if you assumed *everyone* either always said yes or always said no... but what about people who pay attention to what URL they are at (yes, this is *really* the site I want to buy stocks from) and *read* the prompt (yes, I would like to use a secure connection). You've just root-kitted (well, tried to rook-kit(heh, root-kit as a verb)) your most secure and computer-savy users. They aren't going to like it.

If my trusted e-commerce site decided to give me a root-kit or take control of my keyboard/mouse... well they wouldn't be *my* trusted e-commerce site anymore. Now, if you have a security dialog that anyone actually reading *wouldn't* agree to this approach might work, as the *only* ones who agreed would be the ones who automatically say "yes."

So yes, instead of taking a little loss on people who got tricked into buying someone else a stock you should *obviously* try to trick and "0wn" your clients for agreeing to a reasonable proposition ("would you like to use a secure connection with your trusted e-commerce site"). That is *clearly* the best approach.

--
Does a line appended to your comment give your post meaning in and of itself, or only in relation to those without?
1. Re:Wait a second.... by nacturation · 2007-11-20 19:06 · Score: 2, Insightful
  
  what part of this is hard to understand?
  
  Taking the control of the keyboard away from the OS *is* the super special security that they are asking you to install.. you said yes. The summary *and* the article are poorly worded. Rather than simply asking "Do you want to use our extra-secure connection?" (as in, this could be a somewhat slower but more secure 256 bit standard SSL protocol) the question should have been phrased as "Do you want to download and install this executable software to enable our extra-secure connection?". In that light, the rest of the discussion actually somewhat makes sense... however much you agree or disagree with the rest.
  
  --
  Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
WTF? by thatskinnyguy · 2007-11-20 17:03 · Score: 5, Insightful

Is there anyone else here who read the summary and thought "What the fuck?!"

--
The game.
1. Re:WTF? by Tim+C · 2007-11-20 19:57 · Score: 2, Insightful
  
  Well, I actually thought (and in fact said out loud) "That's an absolutely fucking ridiculous idea!", but close enough I feel.
  
  So, I access a site I presumably already trust which would presumably be worthy of that trust, as they're trying to protect themselves and their users (albeit in an utterly retarded way). It pops up a dialogue asking me if I want to use a new, even more secure connection, and if I say yes then they root my PC because they think I'm an idiot and therefore my PC is almost certainly infected? I want more security from a site I trust so I'm better protected and that makes me untrustworthy.
  
  Pure fucking genius. About the only redeeming feature is that any site that implements the scheme as described isn't trustworthy and so I shouldn't have hit yes and so I shouldn't be surprised when I get rooted. That's pretty much the exact opposite of what they're aiming for, however.
  
  --
  It's official. Most of you are morons.
Half-Flawed premise. by Anonymous Coward · 2007-11-20 17:11 · Score: 1, Insightful

> The premise is flawed. Just because someone wants extra security doesn't mean they always click yes to questions. Maybe they just want extra security.
Only a half-flawed premise. You're right in that the variable isn't "yes" or "no". I'd suggest that there is a variable that can be measured, and it's the time delay between display of the warning and user-response.
The guy who clicks "yes" in less than 500 milliseconds + (2 * latency_between_You_and_Client) can be assumed to be pwn3d. He clicks "Yes" to everything.
And the guy who clicks "no" in the same interval is just as likely to be pwn3d. He clicks on everything.
The only secure systems are run by people who take at least 5000 ms (5 seconds) to go "Huh? WTF?" and make a choice. They're the ones who can't be (immediately) assumed to be pwn3d.
If I read such a message and parse it as "WTF? That's not a valid request by any server I understand for the use of a secure protocol! IT'S A TRAP!", and click "No", I'm paranoid enough that I'm not likely to be pwn3d. Similarly, if I read such a message and parse it as "WTF? I have no idea what wrapper he's using around HTTPS, SSH, sftp or whatever, but that's gotta be from some kind of wrapper!", I'm also thinking hard enough that I'm not likely to be pwn3d.
Re:Dumb. by QuantumG · 2007-11-20 17:16 · Score: 1, Insightful

If I offer you a virus and you happily run it because you think it will give you more security, I think that's a reasonable test to see whether or not you're likely already infected with a virus (because even if you weren't, you are now).

--
How we know is more important than what we know.
Yes, another kdawson masterpiece. by radimvice · 2007-11-20 17:32 · Score: 4, Insightful

I have to say (and I know I'm putting my karma in front of the firing squad here), this kdawson guy really knows how to pick em...honestly, it seems that every time an off-topic, ridiculous, or horribly misleading tagline enters the front page, all I need to do is look up from the painful summary paragraph and there is good ol' posted by kdawson, smiling down from above.
better dialog box by Rudisaurus · 2007-11-20 17:50 · Score: 4, Insightful

I think the dialog box should say, "Would it be alright to install a root-kit on your machine?".

The ones who say "Yes" to that are justifiably pwned. Everyone else is reasonably trusted and left alone. It's a good filter!

--
licet differant, aequabitur
Re:Dumb. by QuantumG · 2007-11-20 18:31 · Score: 2, Insightful

Have you considered the possibility that someone has broken into the stock buying site and now would like to get into your banking site? Maybe because, I don't know, they think you might have *more* money in your bank account that the stock buying site doesn't have access to and they'd like that money too? Honestly, if your stock buying site tells you that you need more security than your browser supplies and asks that you download some random piece of software that you can't even inspect to ensure is not malware, then say no.. otherwise you're most likely installing a key logger as the stock buying site would have to be pretty dumb to think asking people to run arbitrary code is a good thing.

It's like people who ask you to run an ActiveX control because it is "more secure". They're obviously idiots and you should take your business elsewhere.

--
How we know is more important than what we know.
Mr. Geer doesn't go far enough by petard · 2007-11-20 18:48 · Score: 3, Insightful

Really, why should the test be the user's reply to a question? If you can install your rootkit on the users machine simply because they've visited your website, and you believe your users visit websites that are not yours, other sites can and probably have installed their rootkits. So what you should really do is quietly test to see if you can install your super secure rootkit, and, if so, do it. If you can't install it, they're probably safe to do business with.

Seriously, using user behavior to assess security risk isn't a dumb idea. But the way this essay frames it is just silly. With the number of assumptions he's made (about user behavior, having a super "rootkit" that can defeat all others, etc.) he might as well go the whole nine and just own everyone he can.

--
.sig: file not found
I think people such as yourself... by bjk002 · 2007-11-21 01:36 · Score: 2, Insightful

...overlook the obvious case that most people just want the functionality a website offers, and hence will accept installations and such to obtain it. Most people really do not understand what is at risk when installing something from a third party, but then again, most really do not care. If at the end of the day they end up getting screwed, they'll call a lawyer.

Maybe instead of chronically pointing to the stupid lusers, we in the IT industry should shoulder the blame for the apathy out there concerning computer security. Should we really expect everyone to have to run a 5 stage security check on every "piece of shiet" website someone interacts with?

What have we in IT provided the users to diminish the need for everyone having to become a security expert?

--
Opinion:=TMyOpinion.Create(Me);
Asking to be Secure means already infected? by Geoffrey.landis · 2007-11-21 02:23 · Score: 2, Insightful

Is this for real? The proposal is that clients who do ask for a secure connection are infected, and that the ones who don't ask for a secure connection aren't infected? Isn't this, like, precisely opposite of what you'd expect? And his response to clients who ask for a secure connection is to put a rootkit on their server?
A few of the commentators on \. have managed to translate the editorial into a proposal that actually might make some sense, but reading it as written, the proposal is the worst, most idiotic analysis I've heard today.

--
http://www.geoffreylandis.com