Slashdot Mirror

← Back to Stories (view on slashdot.org)

Dan Geer On Trusting PCs In Botnets

Posted by kdawson on from the as-far-as-i-can-throw-you dept.

walk*bound writes "In an essay published by ZDNet, security scientist Dan Geer has an interesting proposal for e-commerce sites to evaluate the trustworthiness of clients that try to connect. Assume that end users either always say 'Yes' or always say 'No' to security dialog boxes. Then make the decision one of two ways: 'When the user connects, ask whether they would like to use your extra special secure connection. If they say "Yes," then you presume that they always say "Yes" and thus they are so likely to be infected that you must not shake hands with them without some latex between you and them. In other words, you should immediately 0wn their machine for the duration of the transaction — by, say, stealing their keyboard away from their OS and attaching it to a special encrypting network stack all of which you make possible by sending a small, use-once rootkit down the wire at login time, just after they say "Yes."'"

10 of 301 comments (clear)

  1. That worked so well by Gr8Apes · · Score: 5, Insightful

    for Sony, for one. Yep, can't say enough good things about root-kitting your customers...

    --
    The cesspool just got a check and balance.
    1. Re:That worked so well by Anonymous Coward · · Score: 5, Interesting

      Assume for a moment that a benevolent business point blank asks their customer, "Do you mind if we root-kit your computer for additional security?" If the customer agrees, they either trust the company or don't know what they're doing. Problem is, if you can get away with that, what else would they agree to? The benevolent company then takes measures to protect themselves since the user authorized it. They then pass the money saved from not dealing with infected computers on to their customers. Yay. If the customer initially declined, then apparently they like to keep control of their computer and you proceed under the assumption you're communicating with a clean(-ish) computer. Fair enough.

      I'd say that the main problem with this scenario is the idea of a business being benevolent. I don't trust them to not screw me... but isn't that the author's point? It's an interesting concept, even if it likely wouldn't execute well. At the very least, the idea of somehow measuring a customer's willingness to just click the "yes" button is worth some thought.

    2. Re:That worked so well by joto · · Score: 5, Funny

      That question is almost as bad as the infamous: Yes means No and No means Yes. Format computer now, Yes/No?
      Can I choose ^C ?
      Yes

      (assuming that "Yes means No and No means Yes" is still in effect).

  2. WTF by Zouden · · Score: 5, Insightful

    Where's the Monty Python foot icon? This has to be a joke.

    --
    "A week in the lab saves an hour in the library"
  3. Numbers by willyhill · · Score: 5, Insightful
    My guess is that the number of people who would say "No" is directly proportional to the number of PCs that are not infected.

    BTW, I think this is an interesting essay in the sense that it dares suggest that users are mostly responsible for the security of their computers, not Microsoft. The vast majority of people who have 0wned machines are in that state because they did something they shouldn't have. There's no coding around that, I think. Unless we deny users the right to use their computers... or educate them.

    --
    The twitter monologues. Click on my homepage and be amazed.
  4. Flawed premise. by TeraCo · · Score: 5, Insightful

    The premise is flawed. Just because someone wants extra security doesn't mean they always click yes to questions. Maybe they just want extra security.

    A better test would be to popup 'would you like a free ipod'. Having pointed this out, I do have to add: this is a retarded idea.

    --
    Not Meta-modding due to apathy.
    1. Re:Flawed premise. by TeraCo · · Score: 5, Insightful

      If a reputable site is offering me 'extra security' and I accept it, that doesn't demonstrate anything about my willingness to accept malware. It just shows that I trust that reputable site.

      --
      Not Meta-modding due to apathy.
    2. Re:Flawed premise. by Anonymous Coward · · Score: 5, Funny

      What if I download a Windows firewall update that Microsoft claims is more secure than the old version? Am I an idiot? Yes, at that point you are an idiot.


      (Posted from a Windows system, by an idiot.)

  5. The Slashdot Experience by Blackheim · · Score: 5, Funny

    Posts like this keep me coming back

  6. WTF? by thatskinnyguy · · Score: 5, Insightful

    Is there anyone else here who read the summary and thought "What the fuck?!"

    --
    The game.