Dan Geer On Trusting PCs In Botnets

← Back to Stories (view on slashdot.org)

Dan Geer On Trusting PCs In Botnets

Posted by kdawson on Tuesday November 20, 2007 @04:48PM from the as-far-as-i-can-throw-you dept.

walk*bound writes "In an essay published by ZDNet, security scientist Dan Geer has an interesting proposal for e-commerce sites to evaluate the trustworthiness of clients that try to connect. Assume that end users either always say 'Yes' or always say 'No' to security dialog boxes. Then make the decision one of two ways: 'When the user connects, ask whether they would like to use your extra special secure connection. If they say "Yes," then you presume that they always say "Yes" and thus they are so likely to be infected that you must not shake hands with them without some latex between you and them. In other words, you should immediately 0wn their machine for the duration of the transaction — by, say, stealing their keyboard away from their OS and attaching it to a special encrypting network stack all of which you make possible by sending a small, use-once rootkit down the wire at login time, just after they say "Yes."'"

23 of 301 comments (clear)

That worked so well by Gr8Apes · 2007-11-20 16:51 · Score: 5, Insightful

for Sony, for one. Yep, can't say enough good things about root-kitting your customers...

--
The cesspool just got a check and balance.
1. Re:That worked so well by Anonymous Coward · 2007-11-20 17:14 · Score: 5, Interesting
  
  Assume for a moment that a benevolent business point blank asks their customer, "Do you mind if we root-kit your computer for additional security?" If the customer agrees, they either trust the company or don't know what they're doing. Problem is, if you can get away with that, what else would they agree to? The benevolent company then takes measures to protect themselves since the user authorized it. They then pass the money saved from not dealing with infected computers on to their customers. Yay. If the customer initially declined, then apparently they like to keep control of their computer and you proceed under the assumption you're communicating with a clean(-ish) computer. Fair enough.
  
  I'd say that the main problem with this scenario is the idea of a business being benevolent. I don't trust them to not screw me... but isn't that the author's point? It's an interesting concept, even if it likely wouldn't execute well. At the very least, the idea of somehow measuring a customer's willingness to just click the "yes" button is worth some thought.
2. Re:That worked so well by Holmwood · 2007-11-20 18:02 · Score: 4, Insightful
  
  Assume for a moment that a benevolent business point blank asks their customer, "Do you mind if we root-kit your computer for additional security?" If the customer agrees, they either trust the company or don't know what they're doing.
  
  Actually, if I "agree" (i.e., say yes), it means I *do* mind being root-kitted. If the company then proceeds to root-kit my machine, they are definitely opening themselves up for a lawsuit.
  
  That question is almost as bad as the infamous:
  Yes means No and No means Yes. Format computer now, Yes/No?
  
  But really, this error reinforces some of the disturbing aspects of the original question as cited. Users who answer "Yes" to using a more secure question may be idiots who always click yes; they may be knowledgeable users who expect something like SSL. They are unlikely to be sophisticated users that expect to be root-kitted.
  
  I certainly agree with parent about the dangers of assuming benevolence -- from corporations, or governments.
  
  Holmwood
3. Re:That worked so well by joto · 2007-11-20 21:16 · Score: 5, Funny
  
  That question is almost as bad as the infamous: Yes means No and No means Yes. Format computer now, Yes/No?
  Can I choose ^C ?
  Yes
  (assuming that "Yes means No and No means Yes" is still in effect).
WTF by Zouden · 2007-11-20 16:52 · Score: 5, Insightful

Where's the Monty Python foot icon? This has to be a joke.

--
"A week in the lab saves an hour in the library"
Numbers by willyhill · 2007-11-20 16:58 · Score: 5, Insightful

My guess is that the number of people who would say "No" is directly proportional to the number of PCs that are not infected.
BTW, I think this is an interesting essay in the sense that it dares suggest that users are mostly responsible for the security of their computers, not Microsoft. The vast majority of people who have 0wned machines are in that state because they did something they shouldn't have. There's no coding around that, I think. Unless we deny users the right to use their computers... or educate them.

--
The twitter monologues. Click on my homepage and be amazed.
1. Re:Numbers by thegrassyknowl · 2007-11-20 17:42 · Score: 4, Insightful
  
  Unless we deny users the right to use their computers... or educate them.
  
  You can't educate most of them. They don't want to learn. It's unfortunate but it's the truth. Laypeople think that "firewall" and "anti virus" is all they need to keep them safe from nasty people. I have the unfortunate task of dealing with people like that on a daily basis (many ask why I'm so jaded) and they don't care what the real experts say.
  If you tell average Joe that he shouldn't do something that he wants to because it's a bad idea and then Joe's "expert" mate says "nah man you've got firewall and AV installed you'll be right" he'll ignore you. He will listen to the "expert" mate of theirs that installed Windows once or twice using the restore disk that came with their shiny Dull PC and now thinks they know everything because the "expert" doesn't get in their way of doing stupid things.
  The number of users who click 'yes' and 'no' will be split 50/50, depending on the question. I don't think it's possible to predict what people are going to click because it all depends on the type of message and the wording.
  A lot of people always click allow or always click block when ZoneAlarm pops up a warning. They'll always click "Allow" when Windows pops up and says that they are trying to install an unsigned program. They have seen that type of dialog before and kind of know what to expect when they make their usual response.
  Random Internet questions are different because people aren't expecting them to be there. There is no preconceived notion of how to respond to the random question other than to read it and work out what it's trying to say.
  
  --
  I drink to make other people interesting!
2. Re:Numbers by mcrbids · 2007-11-20 20:29 · Score: 4, Insightful
  
  The vast majority of people who have 0wned machines are in that state because they did something they shouldn't have. There's no coding around that, I think. Unless we deny users the right to use their computers... or educate them.
  
  BBBBBZZZZZZZZZZZZZZZZZZZZZTTTTT!!!!
  
  Sorry, Charlie. You got this one wrong!
  
  True or false: Some places are more secure places to keep your money.
  
  True or false: Some cars are safer during a crash than others.
  
  True or false: Some airports are safer/more efficient than others.
  
  Now for the kicker:
  
  True or false: Some software is more secure/better designed than others.
  
  The truth is that my wonderful Mother in Law had her computer infected by merely clicking the subject line of an email on her otherwise patched computer with antivirus and a hardware firewall on a DSL connection. What did she do that she shouldn't have?
  
  People sometimes do stupid things, and even reasonable things in cars and get into accidents. But even so, a car that's well designed will protects its occupants better, and frequently makes the difference between injury and death. You get into an auto accident on the freeway, which would YOU rather be in: A Yugo or a Mercedes? I know which one I'D pick...
  
  People *do* make mistakes, and they *do* things that are stupid. If using a computer requires perfect behavior in order to work, then they won't work.
  
  --
  I have no problem with your religion until you decide it's reason to deprive others of the truth.
Flawed premise. by TeraCo · 2007-11-20 16:59 · Score: 5, Insightful

The premise is flawed. Just because someone wants extra security doesn't mean they always click yes to questions. Maybe they just want extra security.

A better test would be to popup 'would you like a free ipod'. Having pointed this out, I do have to add: this is a retarded idea.

--
Not Meta-modding due to apathy.
1. Re:Flawed premise. by TeraCo · 2007-11-20 17:06 · Score: 5, Insightful
  
  If a reputable site is offering me 'extra security' and I accept it, that doesn't demonstrate anything about my willingness to accept malware. It just shows that I trust that reputable site.
  
  --
  Not Meta-modding due to apathy.
2. Re:Flawed premise. by TeraCo · 2007-11-20 17:21 · Score: 4, Insightful
  
  You trust a site.. on the internet. You are an idiot.
  How is that tinfoil hat treating you? People quite a bit cleverer than either of us have gone to a lot of trouble to address 'trust' issues in on the internet.
  By the by, when you patch your OS you're trusting a site on the internet. I hope I haven't shocked you.
  
  --
  Not Meta-modding due to apathy.
3. Re:Flawed premise. by omeomi · 2007-11-20 17:22 · Score: 4, Insightful
  
  If you download and run an executable that *any* website offers you on the Internet, to provide you with "more security", then you're an idiot. Oh, and if you think otherwise you're an idiot too.
  
  Linux is often viewed as more secure than Windows...If I download a Linux distro, am I an idiot? Same goes for Firefox. The second bullet point on the Firefox web page is "Stay Secure on the Web". What if I download a Windows firewall update that Microsoft claims is more secure than the old version? Am I an idiot?
  
  --
  ZuluPad, the wiki notepad on crack
4. Re:Flawed premise. by Odiumjunkie · 2007-11-20 17:32 · Score: 4, Insightful
  
  > Having pointed this out, I do have to add: this is a retarded idea.
  
  Not only is it stupid, I imagine that it would be very hard to implement.
  
  Who wants to volounteer to code a "use-once rootkit" that provides a "special encrypting network stack" that guarentees secure communication on a machine that you believe is compromised with x brand of malware and y number of existing rootkits? How are you going to make it so secure than malware writers can't subvert it for their own purposes?
  
  The idea presented is bafflingly stupid, but the idea behind it is not: different security models for users based on behaviour patterns.
  
  If someone uses a six character dictionary-word password (you could check once before hashing and store the result), or fails to uncheck the "receive offers from our partners" checkbox when entering their e-mail address, then perhaps they're not terribly savvy computer users and it would be an idea to throw a few more CAPTCHAS at them each time they log in, or more closely monitor their account for suspicious activity.
5. Re:Flawed premise. by Anonymous Coward · 2007-11-20 18:21 · Score: 5, Funny
  
  What if I download a Windows firewall update that Microsoft claims is more secure than the old version? Am I an idiot? Yes, at that point you are an idiot.
  
  (Posted from a Windows system, by an idiot.)
Dumb. by WK2 · 2007-11-20 17:00 · Score: 4, Informative

When the user connects, ask whether they would like to use your extra special secure connection. If they say "Yes," then you presume that they always say "Yes"

I thought this was a misquote. I checked TFA, and this is exactly what it says. This guy thinks someone who prefers secure connections is more likely to be pwned.

--
Write your own Choose Your Own Adventure. http://www.freegameengines.org/gamebook-engine/
Wait a second.... by PieSquared · 2007-11-20 17:03 · Score: 4, Insightful

A dialog pops up asking "do you want to use a secure connection or not" on your internet stock-buying site.

I would assume that any reasonably secure computer user would.... say yes? I mean, I suppose this approach would work if you assumed *everyone* either always said yes or always said no... but what about people who pay attention to what URL they are at (yes, this is *really* the site I want to buy stocks from) and *read* the prompt (yes, I would like to use a secure connection). You've just root-kitted (well, tried to rook-kit(heh, root-kit as a verb)) your most secure and computer-savy users. They aren't going to like it.

If my trusted e-commerce site decided to give me a root-kit or take control of my keyboard/mouse... well they wouldn't be *my* trusted e-commerce site anymore. Now, if you have a security dialog that anyone actually reading *wouldn't* agree to this approach might work, as the *only* ones who agreed would be the ones who automatically say "yes."

So yes, instead of taking a little loss on people who got tricked into buying someone else a stock you should *obviously* try to trick and "0wn" your clients for agreeing to a reasonable proposition ("would you like to use a secure connection with your trusted e-commerce site"). That is *clearly* the best approach.

--
Does a line appended to your comment give your post meaning in and of itself, or only in relation to those without?
The Slashdot Experience by Blackheim · 2007-11-20 17:03 · Score: 5, Funny

Posts like this keep me coming back
WTF? by thatskinnyguy · 2007-11-20 17:03 · Score: 5, Insightful

Is there anyone else here who read the summary and thought "What the fuck?!"

--
The game.
Woke up this morning, don't believe what I saw by greenguy · 2007-11-20 17:23 · Score: 4, Funny

...hundred million botnets, washed up on the shore
Seems I'm not alone in being alone
Hundred million castaways, looking for a home

Ill send an SOS to the world
Ill send an SOS to the world
I hope someone don't get my
I hope someone don't get my
I hope someone don't get my
PC in a botnet, yeah
PC in a botnet, yeah
PC in a botnet, yeah
PC in a botnet, yeah

--
What if I do the same thing, and I do get different results?
Yes, another kdawson masterpiece. by radimvice · 2007-11-20 17:32 · Score: 4, Insightful

I have to say (and I know I'm putting my karma in front of the firing squad here), this kdawson guy really knows how to pick em...honestly, it seems that every time an off-topic, ridiculous, or horribly misleading tagline enters the front page, all I need to do is look up from the painful summary paragraph and there is good ol' posted by kdawson, smiling down from above.
better dialog box by Rudisaurus · 2007-11-20 17:50 · Score: 4, Insightful

I think the dialog box should say, "Would it be alright to install a root-kit on your machine?".

The ones who say "Yes" to that are justifiably pwned. Everyone else is reasonably trusted and left alone. It's a good filter!

--
licet differant, aequabitur
Or a different approach. by khasim · 2007-11-20 18:05 · Score: 4, Interesting

Since we're discussing ways to make online shopping safer ...

Instead of giving your credit card into to a store (when your bank already has it), have the store generate a random string. Copy that string to your bank's website (where you have logged in) and your bank will pay the store for that item(s) in the shopping cart identified by that string.

There. Your credit card info NEVER crosses the wire.

And the bank can keep records of which stores/accounts have complaints and give you some stats. Kind of like eBay's rating system.

That store has a 99%+ positive rating with 1,532 transactions in the past month (1,926,872 total transactions).
vs
That store has a 25% positive rating with 4 transactions in the past month (4 total transactions).
Huh? by Psychor · 2007-11-20 18:29 · Score: 4, Interesting

I don't understand it to be honest... although most of the sentences seem to make sense individually, I don't really follow the logic. For a start it all seems to be based on the flawed assumption that users always make the same response to all dialog boxes. Why would one assume this? Even a complete idiot might select either option randomly, or mash their fist on the keyboard with the same effect. It's even possible that some highly advanced users might read the information and act on it accordingly!

Anyway, assuming that ridiculous assumption is correct, the author then makes another ridiculous assumption, that if you always say yes to dialog boxes, that means your computer is infected with all kinds of malware. They then decide it would be a good idea to root kit this PC and encrypt network traffic to it. I'm not quite sure what the point of this is either since the machine would have to decrypt the traffic for it to be any use, so any malware present on the machine could still have access to the traffic. I think they could be saying that the point of this is to protect their host machine from your horrible horrible malware. To be honest if a web host is so vulnerable that malware infected clients visiting it cause them to catch it to like some kind of electronic herpes, you have even bigger problems to worry about than the inevitable lawsuits from arbitrarily rootkitting your client's PCs.

In short, it's a long time since I've read such complete nonsense, even given Slashdot's normal submission quality. If anyone managed to follow the article's logic, perhaps you could explain it to me, and possibly also tell me which parallel universe you're from so I can cross it off my holiday list.