Slashdot Mirror

← Back to Stories (view on slashdot.org)

Dan Geer On Trusting PCs In Botnets

Posted by kdawson on from the as-far-as-i-can-throw-you dept.

walk*bound writes "In an essay published by ZDNet, security scientist Dan Geer has an interesting proposal for e-commerce sites to evaluate the trustworthiness of clients that try to connect. Assume that end users either always say 'Yes' or always say 'No' to security dialog boxes. Then make the decision one of two ways: 'When the user connects, ask whether they would like to use your extra special secure connection. If they say "Yes," then you presume that they always say "Yes" and thus they are so likely to be infected that you must not shake hands with them without some latex between you and them. In other words, you should immediately 0wn their machine for the duration of the transaction — by, say, stealing their keyboard away from their OS and attaching it to a special encrypting network stack all of which you make possible by sending a small, use-once rootkit down the wire at login time, just after they say "Yes."'"

9 of 301 comments (clear)

  1. off topic by Mr+Abstracto · · Score: 2, Interesting

    mod me off topic if you must, but I for one just cant bring myself to ever trust someone with muttonchops like that.

  2. Re:That worked so well by Anonymous Coward · · Score: 5, Interesting

    Assume for a moment that a benevolent business point blank asks their customer, "Do you mind if we root-kit your computer for additional security?" If the customer agrees, they either trust the company or don't know what they're doing. Problem is, if you can get away with that, what else would they agree to? The benevolent company then takes measures to protect themselves since the user authorized it. They then pass the money saved from not dealing with infected computers on to their customers. Yay. If the customer initially declined, then apparently they like to keep control of their computer and you proceed under the assumption you're communicating with a clean(-ish) computer. Fair enough.

    I'd say that the main problem with this scenario is the idea of a business being benevolent. I don't trust them to not screw me... but isn't that the author's point? It's an interesting concept, even if it likely wouldn't execute well. At the very least, the idea of somehow measuring a customer's willingness to just click the "yes" button is worth some thought.

  3. Dumbest. Idea. Ever. by Opportunist · · Score: 2, Interesting

    Let's assume I go to this page. Let's assume I do read what's offered to me. So I could use a superspecialawesome security feature. Great. I'm security conscious and yes, I want that security feature.

    Let's assume I go to this page. Let's assume I am a trained clickmonkey. So I get a dialog that asks "yes" or "no", and I click yes because I always click yes.

    Erh... who'd click no?

    What's the demographic of people who would click no there? People who do read security popups but don't want to be secure?

    Sounds to me a bit like a scam. Nobody would click no there. So this all smells a bit like "look, we ASKED the customer if he wants to get a rootkit, it ain't like we didn't tell them".

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  4. Re:Flawed premise. by SirSlud · · Score: 2, Interesting

    You're on a website. You trust it enough to connect to it and assume it will not exploit your system should its owners become aware of a client exploit you are susceptible to and are unaware of. Where did you get your anti-virus or firewall software or your patches to bugs that are discovered in your network stack or network daemons? Super happy fun land?

    As soon as you plug that cable in, you impart some minimum amount of trust to teh interwebs. As far as I can tell, nobody who has installed reputable trustable anti-virus software has had their machine zombified.

    So you're making a moot point. If you want to take this to infinity, you trust the manufacturer of your CPU not to hide some plastic explosives in there that detonates when you boot it up on some random date. I think what you meant to say was, "There is always a risk in everything you do, which you can minimize to a practically irrelevant level if you are sufficiently educated in the relevant subject matter."

    Genius, Einstein.

    --
    "Old man yells at systemd"
  5. Or a different approach. by khasim · · Score: 4, Interesting

    Since we're discussing ways to make online shopping safer ...

    Instead of giving your credit card into to a store (when your bank already has it), have the store generate a random string. Copy that string to your bank's website (where you have logged in) and your bank will pay the store for that item(s) in the shopping cart identified by that string.

    There. Your credit card info NEVER crosses the wire.

    And the bank can keep records of which stores/accounts have complaints and give you some stats. Kind of like eBay's rating system.

    That store has a 99%+ positive rating with 1,532 transactions in the past month (1,926,872 total transactions).
    vs
    That store has a 25% positive rating with 4 transactions in the past month (4 total transactions).

  6. Re:Fool! by a_nonamiss · · Score: 2, Interesting

    But since windows (at least, XP) doesn't have kill -9 You information isn't quite correct. Right click on taskbar -> Task Manager -> Processes. Right-click on offending process -> End Task. BAM! Dead as a doornail. No waiting. (under normal circumstances) If you don't know the process name, you can head on over to the applications tab, right-click on the application and choose "Go To Process." Alternatively, if you're a "power user" (and I use that term lightly) there are the most excellent and free Process Explorer (for those who like clicking and pictures) and pskill. (for down & dirty CLI geeks who know what they want and aren't afraid to type it out.)

    I'm no Microsoft fanboy, but it's not quite so bleak as you point out in your post. I am anxiously awaiting the day when I can use Ubuntu or MacOS at the office and run all the necessary applications for my job, but until that day comes, it's helpful to know how to kill offensive apps in Windows, too.
    --
    -Arthur
    Cave ne ante ullas catapultas ambules
  7. Huh? by Psychor · · Score: 4, Interesting

    I don't understand it to be honest... although most of the sentences seem to make sense individually, I don't really follow the logic. For a start it all seems to be based on the flawed assumption that users always make the same response to all dialog boxes. Why would one assume this? Even a complete idiot might select either option randomly, or mash their fist on the keyboard with the same effect. It's even possible that some highly advanced users might read the information and act on it accordingly!

    Anyway, assuming that ridiculous assumption is correct, the author then makes another ridiculous assumption, that if you always say yes to dialog boxes, that means your computer is infected with all kinds of malware. They then decide it would be a good idea to root kit this PC and encrypt network traffic to it. I'm not quite sure what the point of this is either since the machine would have to decrypt the traffic for it to be any use, so any malware present on the machine could still have access to the traffic. I think they could be saying that the point of this is to protect their host machine from your horrible horrible malware. To be honest if a web host is so vulnerable that malware infected clients visiting it cause them to catch it to like some kind of electronic herpes, you have even bigger problems to worry about than the inevitable lawsuits from arbitrarily rootkitting your client's PCs.

    In short, it's a long time since I've read such complete nonsense, even given Slashdot's normal submission quality. If anyone managed to follow the article's logic, perhaps you could explain it to me, and possibly also tell me which parallel universe you're from so I can cross it off my holiday list.

  8. Re:Flawed premise. by FooBarWidget · · Score: 1, Interesting

    It's not hard to implement. It already exists, and is called nProtect. I first encountered it on the Ragnarok Online website, an MMORPG with Korean roots.
    nProtect is an ActiveX module which installs a kernel driver (!!). I'm not sure how it works, but it appears this kind of product is very popular in Korea, where they use it instead of SSL (!).

  9. Re:That worked so well by Marcos+Eliziario · · Score: 2, Interesting

    We always had licenses for HAM radio. And any HAM operator knows the trouble caused by unlicensed/incompetent operators. Ham radio has the licensing requirement because radio spectrum is a limited resource.
    Maybe we should have a similar system on the internet: A special, restricted use network to be used only by licensed operators, and a free, no-license citizen's band internet for myspace users and similar fauna.

    --
    Your ad could be here!