Slashdot Mirror
Dan Geer On Trusting PCs In Botnets
walk*bound writes "In an essay published by ZDNet, security scientist Dan Geer has an interesting proposal for e-commerce sites to evaluate the trustworthiness of clients that try to connect. Assume that end users either always say 'Yes' or always say 'No' to security dialog boxes. Then make the decision one of two ways: 'When the user connects, ask whether they would like to use your extra special secure connection. If they say "Yes," then you presume that they always say "Yes" and thus they are so likely to be infected that you must not shake hands with them without some latex between you and them. In other words, you should immediately 0wn their machine for the duration of the transaction — by, say, stealing their keyboard away from their OS and attaching it to a special encrypting network stack all of which you make possible by sending a small, use-once rootkit down the wire at login time, just after they say "Yes."'"
for Sony, for one. Yep, can't say enough good things about root-kitting your customers...
The cesspool just got a check and balance.
Where's the Monty Python foot icon? This has to be a joke.
"A week in the lab saves an hour in the library"
BTW, I think this is an interesting essay in the sense that it dares suggest that users are mostly responsible for the security of their computers, not Microsoft. The vast majority of people who have 0wned machines are in that state because they did something they shouldn't have. There's no coding around that, I think. Unless we deny users the right to use their computers... or educate them.
The twitter monologues. Click on my homepage and be amazed.
The premise is flawed. Just because someone wants extra security doesn't mean they always click yes to questions. Maybe they just want extra security.
A better test would be to popup 'would you like a free ipod'. Having pointed this out, I do have to add: this is a retarded idea.
Not Meta-modding due to apathy.
I thought this was a misquote. I checked TFA, and this is exactly what it says. This guy thinks someone who prefers secure connections is more likely to be pwned.
Write your own Choose Your Own Adventure. http://www.freegameengines.org/gamebook-engine/
mod me off topic if you must, but I for one just cant bring myself to ever trust someone with muttonchops like that.
--In Soviet Russia, internet connection owns you!
A dialog pops up asking "do you want to use a secure connection or not" on your internet stock-buying site.
I would assume that any reasonably secure computer user would.... say yes? I mean, I suppose this approach would work if you assumed *everyone* either always said yes or always said no... but what about people who pay attention to what URL they are at (yes, this is *really* the site I want to buy stocks from) and *read* the prompt (yes, I would like to use a secure connection). You've just root-kitted (well, tried to rook-kit(heh, root-kit as a verb)) your most secure and computer-savy users. They aren't going to like it.
If my trusted e-commerce site decided to give me a root-kit or take control of my keyboard/mouse... well they wouldn't be *my* trusted e-commerce site anymore. Now, if you have a security dialog that anyone actually reading *wouldn't* agree to this approach might work, as the *only* ones who agreed would be the ones who automatically say "yes."
So yes, instead of taking a little loss on people who got tricked into buying someone else a stock you should *obviously* try to trick and "0wn" your clients for agreeing to a reasonable proposition ("would you like to use a secure connection with your trusted e-commerce site"). That is *clearly* the best approach.
Does a line appended to your comment give your post meaning in and of itself, or only in relation to those without?
Posts like this keep me coming back
Is there anyone else here who read the summary and thought "What the fuck?!"
The game.
...hundred million botnets, washed up on the shore
Seems I'm not alone in being alone
Hundred million castaways, looking for a home
Ill send an SOS to the world
Ill send an SOS to the world
I hope someone don't get my
I hope someone don't get my
I hope someone don't get my
PC in a botnet, yeah
PC in a botnet, yeah
PC in a botnet, yeah
PC in a botnet, yeah
What if I do the same thing, and I do get different results?
Let's assume I go to this page. Let's assume I do read what's offered to me. So I could use a superspecialawesome security feature. Great. I'm security conscious and yes, I want that security feature.
Let's assume I go to this page. Let's assume I am a trained clickmonkey. So I get a dialog that asks "yes" or "no", and I click yes because I always click yes.
Erh... who'd click no?
What's the demographic of people who would click no there? People who do read security popups but don't want to be secure?
Sounds to me a bit like a scam. Nobody would click no there. So this all smells a bit like "look, we ASKED the customer if he wants to get a rootkit, it ain't like we didn't tell them".
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
I have to say (and I know I'm putting my karma in front of the firing squad here), this kdawson guy really knows how to pick em...honestly, it seems that every time an off-topic, ridiculous, or horribly misleading tagline enters the front page, all I need to do is look up from the painful summary paragraph and there is good ol' posted by kdawson, smiling down from above.
You see, all the other rootkits will trust this one, thinking it's one of THEM!!! Then all you have to do is have your rootkit tell them that it can't stay long and would they please let it have this password/account number and they can steal the next.
They'll never even know this was a good guy root kit the whole time!
I for one, welcome our cross-platform-r00tkit-touting benevolent E-commerce overlords.
When you pull your head out of M$ propaganda you will understand what the author is saying. You don't get the joke because you are a victim of double think and believe things that glaringly contradict each other.
The author is responding to hate mail he got for challenging the M$ party line that only idiots get 0wned.
He parodies the party line brilliantly by saying:
and then suggesting that vendors instantly 0wn anyone who says they want a secure connection. This is not a serious suggestion, it simply point out the absurdity of blaming the user for something others so easily and frequently do. Vendors are screwed and he knows it.
The author is also pointing out how insulting it is for M$ to continue to blame the user for M$ security problems. If M$ really believes this, they must also believe that 2/3rd of their customers are idiots who and have VD. Is there any other vendor on the planet that so casually insults their customers?
Amazingly enough, the general population still believes the M$ party line. I had this argument with a co-worker the other day. He so strongly believed that it's the user's fault that he could not accept estimates by Vint Cerf or Michael Dell as accurate. Stories of corporate network dissaster are similarly dissmissed as the fault of idiots at work. More amazing than the man's inability to take in new information was the temper tantrum he threw when calmly questioned and confronted with facts. M$'s own estimates will also bounce off his otherwise bright head because it would force him to conclude that there's either a 2/3rd chance that he's an idiot or worse - he's been wrong headed and vocal for years, which is the definition of an idiot. How does M$ build such loyalty while being so abusive? Windoze security is a oxymoron and it's time the public at large understood that.
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
I think the dialog box should say, "Would it be alright to install a root-kit on your machine?".
The ones who say "Yes" to that are justifiably pwned. Everyone else is reasonably trusted and left alone. It's a good filter!
licet differant, aequabitur
Since we're discussing ways to make online shopping safer ...
Instead of giving your credit card into to a store (when your bank already has it), have the store generate a random string. Copy that string to your bank's website (where you have logged in) and your bank will pay the store for that item(s) in the shopping cart identified by that string.
There. Your credit card info NEVER crosses the wire.
And the bank can keep records of which stores/accounts have complaints and give you some stats. Kind of like eBay's rating system.
That store has a 99%+ positive rating with 1,532 transactions in the past month (1,926,872 total transactions).
vs
That store has a 25% positive rating with 4 transactions in the past month (4 total transactions).
I'm no Microsoft fanboy, but it's not quite so bleak as you point out in your post. I am anxiously awaiting the day when I can use Ubuntu or MacOS at the office and run all the necessary applications for my job, but until that day comes, it's helpful to know how to kill offensive apps in Windows, too.
-Arthur
Cave ne ante ullas catapultas ambules
I don't understand it to be honest... although most of the sentences seem to make sense individually, I don't really follow the logic. For a start it all seems to be based on the flawed assumption that users always make the same response to all dialog boxes. Why would one assume this? Even a complete idiot might select either option randomly, or mash their fist on the keyboard with the same effect. It's even possible that some highly advanced users might read the information and act on it accordingly!
Anyway, assuming that ridiculous assumption is correct, the author then makes another ridiculous assumption, that if you always say yes to dialog boxes, that means your computer is infected with all kinds of malware. They then decide it would be a good idea to root kit this PC and encrypt network traffic to it. I'm not quite sure what the point of this is either since the machine would have to decrypt the traffic for it to be any use, so any malware present on the machine could still have access to the traffic. I think they could be saying that the point of this is to protect their host machine from your horrible horrible malware. To be honest if a web host is so vulnerable that malware infected clients visiting it cause them to catch it to like some kind of electronic herpes, you have even bigger problems to worry about than the inevitable lawsuits from arbitrarily rootkitting your client's PCs.
In short, it's a long time since I've read such complete nonsense, even given Slashdot's normal submission quality. If anyone managed to follow the article's logic, perhaps you could explain it to me, and possibly also tell me which parallel universe you're from so I can cross it off my holiday list.
As far as I can tell, from my admittedly user point of view, the task manager doesn't actually kill processes. It sends them exit signals. As evidenced by the fact that, unlike every Linux distribution I've ever used, "end task" doesn't result in the immediate disappearance of any windows related to the process and the process name's removal from the process list. Only after a period of unresponsiveness does it drop ceremony and outright end the process.
In normal circumstances this is a good thing as it would allow applications to run their exit routines, saving settings, recovery files, and whatnot. But it would certainly be unwise to give malicious code the opportunity to run yet more code once you've decided to terminate it.
Are process explorer and pskill available from Microsoft (either as part of the install or as a download from microsoft's official site?) Otherwise you still run into some trust issues just to get that instant-kill functionality. Obviously, if you're running windows, you trust microsoft.
Can you be Even More Awesome?!
Really, why should the test be the user's reply to a question? If you can install your rootkit on the users machine simply because they've visited your website, and you believe your users visit websites that are not yours, other sites can and probably have installed their rootkits. So what you should really do is quietly test to see if you can install your super secure rootkit, and, if so, do it. If you can't install it, they're probably safe to do business with.
Seriously, using user behavior to assess security risk isn't a dumb idea. But the way this essay frames it is just silly. With the number of assumptions he's made (about user behavior, having a super "rootkit" that can defeat all others, etc.) he might as well go the whole nine and just own everyone he can.
.sig: file not found
To answer your last question : process explorer is available here : http://www.microsoft.com/technet/sysinternals/utilities/processexplorer.mspx which seems to be part of the microsoft website (if you trust URLs and DNS I mean).
...overlook the obvious case that most people just want the functionality a website offers, and hence will accept installations and such to obtain it. Most people really do not understand what is at risk when installing something from a third party, but then again, most really do not care. If at the end of the day they end up getting screwed, they'll call a lawyer.
Maybe instead of chronically pointing to the stupid lusers, we in the IT industry should shoulder the blame for the apathy out there concerning computer security. Should we really expect everyone to have to run a 5 stage security check on every "piece of shiet" website someone interacts with?
What have we in IT provided the users to diminish the need for everyone having to become a security expert?
Opinion:=TMyOpinion.Create(Me);
A few of the commentators on \. have managed to translate the editorial into a proposal that actually might make some sense, but reading it as written, the proposal is the worst, most idiotic analysis I've heard today.
http://www.geoffreylandis.com