Web Browsers Under Siege From Organized Crime

An anonymous reader writes "IBM has released the findings of the 2007 X-Force Security report, a group cataloging online-based threat since 1997. Their newest information details a disturbing rise in the sophistication of attacks by online criminals. According to IBM, hackers are now stealing the identities and controlling the computers of consumers at 'a rate never before seen on the Internet'. 'The study finds that a complex and sophisticated criminal economy has developed to capitalize on Web vulnerabilities. Underground brokers are delivering tools to aid in obfuscation, or camouflaging attacks on browsers, so cybercriminals can avoid detection by security software. In 2006, only a small percentage of attackers employed camouflaging techniques, but this number soared to 80 percent during the first half of 2007.'"

80%...?

Are they saying that antispyware software misses 80% of the spyware?

Firefox? Opera? Safari?

[TFGeditor]

Okay, I admint I have not (yet) read the article, but experience tells me that 80% likely involves IE at 90 percent or better.

Re:Firefox? Opera? Safari?

[HangingChad]

...experience tells me that 80% likely involves IE at 90 percent or better.

How is that a troll? He's stating the observation based on his experience.

I did read the article and can't tell, either. My experience coincides with yours. Funny articles are hesitant to spell out the distribution of vulnerabilities. I wonder if they get leaned on by Microsoft's legal department or one of their PR firms?

Just exactly how many of those vulnerabilities are Firefox running on Ubuntu? Or Safari? Or, as usual, is Windows and IE the most attractive attack vector?

Re:Firefox? Opera? Safari?

[dynamo]

This post isn't a troll, IE is.

Re:Firefox? Opera? Safari?

[FudRucker]

even though your comment was modded down as a troll, i agree with you wholeheartedly...

Re:Firefox? Opera? Safari?

[Farmer+Tim]

I most strongly disagree. IE is flamebait: use it, and you will get burned.

Re:Firefox? Opera? Safari?

[WilliamSChips]

I'm not fully sure but I know every browser has one vulnerability. It's between keyboard and chair.

Re:Firefox? Opera? Safari?

[baboo_jackal]

...experience tells me that 80% likely involves IE at 90 percent or better.

How is that a troll? He's stating the observation based on his experience.
It's a Troll because anecdotal evidence boils down to pretty much this: "That's what my personal experience leads me to *feel* is true, and here are some numbers (I made up) that *feel* right to quantify my *feelings*."

I did read the article and can't tell, either. ... Funny articles are hesitant to spell out the distribution of vulnerabilities.
The linked pdf showed that Firefox had 36 critical security issues versus IE's 28.

Given that modern OSes protect against low-level access violations, I think you can answer your question by looking at the security fault type: 22 of IE's and 12 of FF's were memory corruption or buffer overrun issues, which I'm guessing ought to be caught by the underlying OS. FF had 11 Security Zone Bypasses, of which IE had none, and FF had 13 "Other" critical security issues, versus IE's 6.

Security Zone Bypass is just one type of an elevation of privilege attack. And "Other" doesn't really tell us much, but let's assume that all "Other" vulnerabilities are Bad.

FF, then, had 24 critical security issues that wouldn't necessarily be caught by modern OS memory protection schemes common to both Windows and Linux, to IE's 6.

Hey, I'm no MS fanboy, but the above is what I managed to take home from the article.

Re:Firefox? Opera? Safari?

[HartDev]

Hey if they are making good money, where do I sign!? I mean I have worked two tech support jobs and one Web design firm job, and the way it has been in all of my experience is that they will pay you as little as possible and then fire you if you ever think you deserve more, wish I was 17 again and have had no web development experience! Good comment by the way!

Re:Firefox? Opera? Safari?

[nbannerman]

Agreed - this is why I replace all my users with inanimate carbon rods - I haven't had a security problem in months!

Re:Firefox? Opera? Safari?

[grcumb]

...experience tells me that 80% likely involves IE at 90 percent or better.

How is that a troll? He's stating the observation based on his experience. It's a Troll because anecdotal evidence boils down to pretty much this: "That's what my personal experience leads me to *feel* is true, and here are some numbers (I made up) that *feel* right to quantify my *feelings*."

That is as far from the definition of a troll as can be imagined. Re-read the moderator guidelines about the difference between 'Flamebait', 'Troll', and 'Factually Incorrect'. Attitudes like yours make meta-moderation necessary.

On top of everything else, it's not necessarily even wrong. I can give you 'anecdotal' evidence based on servicing computers for a local user community of about 40,000 people. My observations haven't been formalised or codified in any way, so I can't make any claim to scientific observation, but I can tell you that what I see on a day-to-day basis is relevant and significant.

This is valid and useful information in my professional context. You're implication that anecdote is always based on feeling is, ironically, based on a hunch informed by your own bias.

The linked pdf showed that Firefox had 36 critical security issues versus IE's 28.

If you're so bent on getting good data, by the way, you should know better than to blindly add up vulnerability announcement totals and call that analysis.

Re:Firefox? Opera? Safari?

[ceeam]

Though when you go to absolutely legitimate site (that has been infected just last night) with IE and through many of its holes you now got a trojan installed on your machine, how is that a user's fault? Apart from using IE this user did absolutely nothing wrong or stupid.

Re:Firefox? Opera? Safari?

[cp.tar]

Though when you go to absolutely legitimate site (that has been infected just last night) with IE and through many of its holes you now got a trojan installed on your machine, how is that a user's fault? Apart from using IE this user did absolutely nothing wrong or stupid.

I should say that using IE is wrong and stupid enough.

Re:Firefox? Opera? Safari?

[aztracker1]

Though productivity has plummeted...

Re:Firefox? Opera? Safari?

[Nullav]

Considering that it's the default browser on what's basically the default OS, blame for people running IE rests squarely on MS and the OEMs pushing Windows. If I didn't know any better and was buying from an OEM, I'd expect a secure machine; not thousands of attempts at idiot-proofing, just sane default settings, as few background processes as possible, and perhaps some educational material about phishing and downloading apps from untrusted sources or some links pointing me in the right direction.

Re:Firefox? Opera? Safari?

[jaxtherat]

I should say that using IE is wrong and stupid enough. That's pretty bloody harsh. Here's a couple (there are many more) of scenarios I'd like you to think about:

1. 30 - 50 year old couple with no technically competent friends or family (or kids) using a computer from Dell or a corner store. This is actually a pretty large fraction of 'Net users out there, and they use IE and windows through no fault of their own.
2. Scientists and Researchers having to use Active X only data repository sites because they need to get aerial maps from a government site etc...
3. Office workers being forced into using IE due to corporate compliance.

I'd like to see you have the nerve and belligerence to walk up to any of these people and say: "you're using IE so therefore you are wrong and stupid", when they are not actually at fault.

Re:Firefox? Opera? Safari?

[berzerke]

I should say that using IE is wrong and stupid enough.

Except some sites require it (ADP is the worst), and I can't convince management it's worth it to switch to a different company. Personally, I've been searching for a better on-line bank and after the passing the initial screening, one of the first questions I ask is, "Does your site support Firefox?". Most of the time I get a no, use IE. My most recent answer, Feb 11, 2008, states, "Apple Bank's website currently supports Mozilla Firefox version 1.0." Version 1.0! How old is that?!?! The search continues.

Considering Firefox's market share is somewhere around 16%, and according to a recent bankrate.com article, "Fierce competition among banks for customers and deposits has helped keep CD rates propped up." You'd think turning away 1 in 6 potential customers would be a bad idea...

Re:Firefox? Opera? Safari?

[cp.tar]

I'd like to see you have the nerve and belligerence to walk up to any of these people and say: "you're using IE so therefore you are wrong and stupid", when they are not actually at fault.

Putting aside the fact that I had been aiming for a Funny moderation instead of Insightful, this is one fine leap of logic you're suggesting, and some finely chosen words you're putting in my mouth.

While I did describe mere usage of IE as wrong and stupid, it would not do to assume I said IE users were wrong and stupid.
So please, suppress your righteous indignation.

Oh, BTW:

1. 30 - 50 year old couple with no technically competent friends or family (or kids) using a computer from Dell or a corner store. This is actually a pretty large fraction of 'Net users out there, and they use IE and windows through no fault of their own.

I should consider every usage of any device without proper level of competence wrong and stupid.
Just because people do not get injured or killed during untrained computer use doesn't mean that untrained use isn't irresponsible.

2. Scientists and Researchers having to use Active X only data repository sites because they need to get aerial maps from a government site etc...

Defective by design == wrong and stupid in my book.

3. Office workers being forced into using IE due to corporate compliance.

See above.
Furthermore, if shit happens because users adhere to corporate policies, then any damage caused to their workstations is not their fault, but the policy's. And in that case, the policy is wrong and stupid, so I pass Go and collect my $200.

Re:Firefox? Opera? Safari?

[cp.tar]

Have you considered mailing every bank that requires IE and/or fails to support Firefox that you have decided not to become their client due to IE lock-in?

Send enough mails and you may see some improvement; the management is probably unaware that this may be an issue.

Re:Firefox? Opera? Safari?

[jaxtherat]

Wow. A bit elitist eh.

I should consider every usage of any device without proper level of competence wrong and stupid.
Just because people do not get injured or killed during untrained computer use doesn't mean that untrained use isn't irresponsible. How do you suggest that my aforementioned demographic educate themselves if they don't even know that they 'need' education?? Especially when the market and the media do their best to tell people that computers are 'point and click' and require no education and training?

So, how is the user at fault?

Defective by design == wrong and stupid in my book. Yeah, true. But some people have no choice. If you are required by your University or employer to access a government data repository that is Active X only, you're kinda fucked aren't you?

Again, how is the user at fault?

All I'm trying to say, is pissing on users who don't know any better, or are between a rock and a hard place is hardly helpful. You'd be more productive lobbying relevant parties, educating anyone you can, and boycotting technologies you disagree with.

I don't think I put anything in your mouth at all, I just interpreted your post as elitist drivel, and quite frankly so would someone who is a little insecure about their tech competence, who are also incidentally the IE using crowd.

Re:Firefox? Opera? Safari?

[cp.tar]

Wow. A bit elitist eh.

I should consider every usage of any device without proper level of competence wrong and stupid.
Just because people do not get injured or killed during untrained computer use doesn't mean that untrained use isn't irresponsible. How do you suggest that my aforementioned demographic educate themselves if they don't even know that they 'need' education?? Especially when the market and the media do their best to tell people that computers are 'point and click' and require no education and training?

So, how is the user at fault?

Ignorantia legis neminem excusat.
While this is of course related to law, I see no reason not to apply it here.

Defective by design == wrong and stupid in my book. Yeah, true. But some people have no choice. If you are required by your University or employer to access a government data repository that is Active X only, you're kinda fucked aren't you?

Again, how is the user at fault?

Did I say users were at fault? Please, do point out where I said that users were at fault in this instance.

And stop putting words in my mouth.

All I'm trying to say, is pissing on users who don't know any better, or are between a rock and a hard place is hardly helpful. You'd be more productive lobbying relevant parties, educating anyone you can, and boycotting technologies you disagree with.

I should say that those between a rock and a hard place are in a much better position to lobby than I am. Especially since I may not be on the same bloody continent.

I don't think I put anything in your mouth at all, I just interpreted your post as elitist drivel, and quite frankly so would someone who is a little insecure about their tech competence, who are also incidentally the IE using crowd.

Well, they wouldn't be reading /., now would they?

Read what is written; do not imagine stuff that isn't.
And if you draw conclusions, do try to make them follow logically from what is written.

Re:Firefox? Opera? Safari?

[jaxtherat]

Did I say users were at fault? Please, do point out where I said that users were at fault in this instance. Sure thing buddy, from your OP:

I should say that using IE is wrong and stupid enough. and looking up 'using' on Wiktionary gives me:

Verb, using

      1. Present participle of use. which then led me to this:

Noun, user (plural users)

      1. One who uses or makes use of something, a consumer. linkage: http://en.wiktionary.org/wiki/user

Hence my interpretation.

Anyway, arguing on slashdot just makes us both look like retards so I'm just gonna concede defeat at this point.

Re:Firefox? Opera? Safari?

[ciscoguy01]

FYI, I use Firefox 2x with Wellsfargo.com, and it works just fine. No problems at all.

Re:Firefox? Opera? Safari?

[arminw]

....a government data repository that is Active X only......

Why does the government use a proprietary, special format? Is there no way such data can be stored and disseminated so ALL computers, such as Linux and Macs can access it equally well? It seems that the taxpayers ought not subsidize any one particular company's data format. Isn't that why there are standards open to all? I think this is the government's fault.

Re:Firefox? Opera? Safari?

[arminw]

......Apple Bank's website currently supports.....

I have found that with Safari, whenever I get a message from a web site that it only works with IE, that this is because their server checks what browser is calling it. Most of the time, if I tell Safari to lie and tell that stupid site that it is being talked to by IE, everything works perfectly or is at least useable. The exceptions to this are few.

Re:Firefox? Opera? Safari?

[Lotunggim+Ginsawat]

If it isn't scientific, then it is anecdotal. If you want your evidence to be taken seriously from your sample of 40000, you better make your case public, such as how you collect your data, what statistical techniques you use, margin of error etc. If you graduated from a decent university with a computer/multimedia degree, you should at least taken basic statistic subject which should at least help you. Or else, your observation is biased and based on feelings.

Anecdotal evidence is always based on bias and feelings. Your information based on the sample of 40000 people is anecdotal. You do not agree? Then please make your case here professionally, the way you learn it from your statistic classes (or better marketing management classes).

Re:Firefox? Opera? Safari?

[jaxtherat]

Of course, absolutely the government is at fault. I agree 100%

I just don't think that the unfortunate users of the system should be branded as idiots.

Re:Firefox? Opera? Safari?

[cp.tar]

Did I say users were at fault? Please, do point out where I said that users were at fault in this instance. Sure thing buddy, from your OP:

<snip>

Hence my interpretation.

At least you admit these were not my words, but your interpretation.

Re:Firefox? Opera? Safari?

[cp.tar]

I think this is the government's fault.

A government doing things that are wrong and stupid?

I'm positively shocked.

Re:Firefox? Opera? Safari?

[tsjaikdus]

>> How is that a troll?

That's not a troll. He is bashing MS. So we are obliged to laugh. Haha.

Re:Firefox? Opera? Safari?

[rkd2110]

Using IE is neither wrong nor stupid. It's a matter of personal preference. If some user (definitely not me) finds IE7 more comfortable then FF, well, it's his decision.

There will always be a more secure method of browsing. FF/Opera are definitely not as secure as wget from a linux terminal, and even that is not as secure as telnet to port 80 from an OpenBSD machine. Are you telling me that you're doing everything for security?

If you want to blame users for something blame them for clicking on the "You've Just Won Our Bazillion Dollars Jackpot" pop ups...

Re:Firefox? Opera? Safari?

[baboo_jackal]

On top of everything else, it's not necessarily even wrong.
Lemme replace the word "necessarily" with the word you meant to say: Possibly.

Anecdotal evidence amounts to "My Very Own Personal Experience, which my feelings tell me is true, and is also generalizable to ALL similar situations!" It doesn't prove anything.

If you're so bent on getting good data, by the way, you should know better than to blindly add up vulnerability announcement totals and call that analysis.
Hey, that's all the article and the supporting pdf had. If they had anything more tangible to work with, I'm sure they would have offered it. I was just using what they offered.

The minute that vulnerabilities were monitized...

[DigitalSorceress]

It seems to me that the moment that organized crime found a way to make money off security vulnerabilities (Spam, ID theft, Ransomware, etc...) the writing was pretty much on the wall (though I'm still trying to figure out what it says). It kind of reminds me of William Gibson's cyberspace: a free-for-all, hostile environment where it was pretty much up to individual users / corporations / governments / whatever to protect themselves through whatever means necessary.

Welcome to the wild, wild net.

If this is brand new...

[More_Cowbell]

Then why do I feel like it is so old and obvious that it needs a 'duh' tag?

Re:If this is brand new...

[InsaneProcessor]

Then why do I feel like it is so old and obvious that it needs a 'duh' tag?
My thought exactly......DUH!

If you know there's a hole . . .

[arizwebfoot]

Why not plug it?

Re:If you know there's a hole . . .

Those who understand the problem do just that -- they disable javascript.

Re:If you know there's a hole . . .

[risk+one]

I think you're confusing organized crime with the sex industry.

Drop in vulnerabilities... really?

[grassy_knoll]

From TFA:

The overall number of vulnerabilities reported for the year went down for the first time in 10 years.

Combined with the comment that camouflaging techniques are used in 80% - 100% of recorded attacks, I wonder if the number of attacks is really going up ( as it has been in the past 10 years ) but detection is getting worse.

Explains the odd attempted breakins..

[downix]

Over the past 4 weeks I've noticed a rash of almost hourly attempted breakins to our servers.

Here's a sample:
ftp attempts for 5 hours straight:
Feb 12 10:27:02 localhost proftpd[24841]: localhost.localdomain (::ffff:82.186.102.42[::ffff:82.186.102.42]) - no such user 'Administrator'
Feb 12 10:27:02 localhost proftpd[24841]: localhost.localdomain (::ffff:82.186.102.42[::ffff:82.186.102.42]) - USER Administrator: no such user found from ::ffff:82.186.102.42 [::ffff:82.186.102.42] to ::ffff:192.168.10.26:21
Feb 12 10:27:02 localhost proftpd[24841]: localhost.localdomain (::ffff:82.186.102.42[::ffff:82.186.102.42]) - Maximum login attempts (3) exceeded

ssh attempts almost constant since last friday:

Feb 11 01:37:07 localhost sshd[13953]: pam_unix(sshd:auth): check pass; user unknown
Feb 11 01:37:07 localhost sshd[13953]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.31.37.13
Feb 11 01:37:07 localhost sshd[13953]: pam_succeed_if(sshd:auth): error retrieving information about user ajith

When I catch them, the majority of the IP #'s match up to systems which have been rootkitted. The stream of odd login names always catches me off guard, sometimes in english, sometimes japanese or chinese. Does anyone know of someone that keeps track of these things, so I can send my logfiles to?

Re:Explains the odd attempted breakins..

[KublaiKhan]

The folks over here keep track of that sort of thing. You may want to speak with them.

Re:Explains the odd attempted breakins..

I just go to ARIN.net and look up the technical or abuse contact for whoever owns the netblock containing the IP. I tell them suspicious/malicious activity is coming from one of their IPs, and include a short log excerpt. Usually the machine is dealt with pretty quickly, though I've been lucky... the few attacks that hit me came from pwned hosted servers in the US. If you're getting hit by machines in another country, or by machines on consumer broadband, good luck getting anyone to give a shit.... just firewall them.

Re:Explains the odd attempted breakins..

[sirgoran]

Whoops!

Sorry, my bad. Thought I was on my server...

Re:Explains the odd attempted breakins..

[Tolabrew]

I thought exactly what you wanted....

http://www.justin.tv/phrozencrew1/67752

Re:Explains the odd attempted breakins..

[ssstraub]

Rootkit Revealer (Windows). This was written by Mark Russinovich before he joined Microsoft.

Re:Explains the odd attempted breakins..

[bberens]

Generally, but not always, you can watch outgoing traffic logs on your router to see if there's stuff going on that doesn't make sense. Most people don't have that kind of time. Also, it may be your router which was rootkitted. :)

Re:Explains the odd attempted breakins..

[cheater512]

Your looking for this for your SSH logs: http://denyhosts.sourceforge.net/
It will automatically detect and block the attackers and optionally add them to a gobal block list.

Re:Explains the odd attempted breakins..

[downix]

My router is a SPARC running OpenBSD... which only allows SSH access from the internal LAN. I love my router...

Re:Explains the odd attempted breakins..

[jschottm]

The article has very little to do with what you're describing - simple common name/password attacks - which have been going on for years. Iif [sic] you use non-attack-dictionary passwords, these aren't a threat. They just sit there and try things like root/password, root/passw0rd, etc.

These attacks are so common that no one tracks them anymore. SANS has a system that you can submit your firewall logs to but not the detailed syslog information. You can attempt to report the attacks to the appropriate parties - the ISP in the case of home users, the admins of servers, etc. Sometimes you'll get results, often you won't.

Have you disabled root logins for ssh? If not, so so. If you want to reduce the chatter that fills up your log files, change ssh to a different port. You can get various software to automagically firewall off offending systems, but be careful in configuring them - if you're not careful you could end up accidentally blocking out yourself or your users (or allowing someone else to do so).

Re:Explains the odd attempted breakins..

[stavros-59]

How does one tell if they are rootkitted? I have the latest patches and updates to my anti-virus, firewall and anti-spyware software but none of them mention anything about rootkits... Another thing that worries me is my software is all free! Comodo for my firewall, Avast for my anti-virus and Adaware for my anti-spyware...is the free software much worse than the stuff you have to payout for?

By definition rootkits are hidden from the user in normal use. On Windows systems they are usually installed as driver files with a .sys extension, often with a registry entry, or entries, to ensure startup. More on rootkits http://en.wikipedia.org/wiki/Rootkit

There are a number of further references on the Wikipedia page that you use to find out more about them.

This is a list of "known" Windows NT related rootkit files with details of which rootkit pack they belong to http://www.bleepingcomputer.com/startups/rootkit.html

There are a number of rootkit detectors for Windows, but there are also many legitimate files on Windows systems that have hidden attributes for some reasons, so any rootkit detector must be used with care. Windows provides many paths of infections, but most rootkit anchored malware requires user intervention of some kind. Accepting unknown software, going to a subverted webpage or a webpage with ads that have been subverted to install malware when a vulnerable computer is found. Most of the installers use a script to check for available exploits.

Best protection is not to use Internet Explorer, next best protection is to disable javascript on untrusted websites or when you are using webpages you wouldn't show your mother.

Re:Explains the odd attempted breakins..

[mikael]

I used to get those on my home system - it was really obvious that something was happening as both the hard-disk drive and the network lights on the cable model were thrashing away and the desktop slowed down to a snails pace. The only solution at the time was to disconnect the network table. The sysadmin logs showed that over 300 login attempts had been made within a minute. These would all come from the same address, and come in two or three waves, although these could be anywhere in the world (Europe or Aisa mainly).

Re:Explains the odd attempted breakins..

[halber_mensch]

Your looking for this for your SSH logs: http://denyhosts.sourceforge.net/
It will automatically detect and block the attackers and optionally add them to a gobal block list. It's really more effective, in my opinion, to simply disable interactive logins altogether and use DSA key authentication. Brute force login attempts become a negligible threat, since attackers are not trying to spoof dsa private keys and even if they did the sheer number of possible dsa keys combined with the number of possible user names makes the chance of a successful breakin very very slim. Using denyhosts requires that the botted cracker machines out there be given a good chance to brute force their way in before they can be added to the list, so even though you can block some hosts you know are trying to get in, you can't preempt future attackers and the vulnerability is still there.

Beware the"funny" moderation in Organized Crime...

[HairyNevus]

...It begs the question "how am I funny to you?"

I wonder what the profits look liike.

[kabocox]

We've seen what kinda of profits spam brings in. I wonder how profitable this is.

Heck, spyware/adware, or some shady P2P programs could have something like this. Reminds me of what happened to http://www.shareaza.com/. It's claimed by a group that be like this. That address used to be shareaza's main site, and it easy for many to not know to go to http://shareaza.sourceforge.net/ for the new updates.

original report

[formant]

Here is the link to the source : http://www.iss.net/x-force_report_images/2008/index.html/

Re:original report

[formant]

http://www.iss.net/x-force_report_images/2008/index.html that's it

Oooo! The X-Force!

[Quiet_Desperation]

I didn't know IBM hired Rob Liefeld. Did they put Cable in charge of the investigation?

Organized crime, huh? When they hit your browser, does the screen just go black?

Re:Oooo! The X-Force!

[FudRucker]

RE:["Organized crime, huh? When they hit your browser, does the screen just go black?"]

well it is called the "Black Market"...

That's not the worst of it.

[khasim]

It kind of reminds me of William Gibson's cyberspace: a free-for-all, hostile environment where it was pretty much up to individual users / corporations / governments / whatever to protect themselves through whatever means necessary.

The problem is that no matter how well YOU protect yourself, other agencies have your personal information in their databases.

What happens if your employer loses a laptop with your SSN, name, etc on it?

Eventually, the criminals are just going to start building a database with whatever information they can find.

Then they'll use that database to take out a second mortgage on your home, purchase a new car and open a few credit cards under your name.

You'll lose more money than you have. And you'll never have a chance to prevent it. Because all the information will be "leaked" from 3rd parties.

Re:That's not the worst of it.

Potentially the problems you state are only the scraps, unfortunately it is getting to where every filing cabinet and vault in the world has multitudes of vacuum pipelines hooked to it and organized crime is working hard on figuring out how to break down the filters and routing on these pipelines and channel the flow to themselves. Think in terms of the old vacuum pipes for paper and money transfers inside old department stores and then expand it world wide, now try to imagine keeping it secure, not just your part of it but everyone's part that you connect to and everyone's part that they connect to ad infitum, welcome to the internet.

Side warning to the F/OSS community: That multitude of eyes may become even more important as we start to wonder, is the Godfather contributing? It doesn't even have to be in terms of direct backdoors, only has to be an exploitable bug which of course don't make the contributor look as bad.

Side warning to the closed source corporations: See above, biggest difference is your paying them too. Think you can hire that many eyes?

Side warning to businesses and individuals: Read the above, look around you, let the paranoia begin.

The internet maybe a highly efficient way of doing business, but it can be an extremely efficient way to steal too. Weigh the KNOWN risk factors, is it really worth it?

Organized crime is only the tip of the iceberg.

We may have to become stainless steel rats just to be free.

Re:That's not the worst of it.

[TheRealMindChild]

Then they'll use that database to take out a second mortgage on your home, purchase a new car and open a few credit cards under your name.

I got that one covered. I just haven't paid several bills for a long while now. If someone tries to get credit with my credentials, all they will get is people laughing and pointing at them

Re:That's not the worst of it.

[SCHecklerX]

It's even easier than that. Every time you pay with your credit card at a restaurant, you are trusting that waiter not to steal your number, or that they don't print a tape with the number on it and put it in the trash unshredded.

Re:That's not the worst of it.

[vertinox]

What happens if your employer loses a laptop with your SSN, name, etc on it?

If you are paranoid like me you will have already called one of three major credit companies (not the free score but Equifax, Experian, or TransUnion) and put a freeze on your credit every 90 days with a fraud alert. Or you can pay one of their subsidaries a monthly fee for any notifications via email or SMS of any changes or requests in your credit (yeah it kind of feels like I'm paying them to solve a problem that is their fault).

On the downside you won't be able to get new credit lines easily while your account is locked so do this after you get your mortgage or car loan. On the upside... No one can do anything with your information without causing some major red flags. Also it seems that the junk mail has ceased.

Just a suggestion for those paranoid types.

Re:That's not the worst of it.

[fishbowl]

>now try to imagine keeping it secure

Okay. We have had easy cryptographic solutions for decades now, many of which are reasonably difficult to break. Make use of them.

Re:That's not the worst of it.

[vertinox]

Side warning to the F/OSS community: That multitude of eyes may become even more important as we start to wonder, is the Godfather contributing? It doesn't even have to be in terms of direct backdoors, only has to be an exploitable bug which of course don't make the contributor look as bad.

How do know that a low paid programmer at Microsoft hasn't been bribed by organized crime and if so how do you detect the code?

Re:That's not the worst of it.

[maxume]

Then they'll use that database to take out a second mortgage on your home, purchase a new car and open a few credit cards under your name.

You'll lose more money than you have. And you'll never have a chance to prevent it. Because all the information will be "leaked" from 3rd parties.

There is a straightforward way to solve this -- seek out and elect officials who are willing to transfer liability for fraudulent transactions from the person who happens to match the magic number used to initiate the transaction to the institution granting the debt. It might not be easy to find those people and get them past the various financial lobbies, but it would address the problem very effectively. The current situation is madness, people who do absolutely nothing wrong, or even foolish, are left holding the bag for huge amounts of fraud.

Re:That's not the worst of it.

[homer_s]

Then they'll use that database to take out a second mortgage on your home, purchase a new car and open a few credit cards under your name.

And the banks who lent the money based on a number (that is not even supposed to private) would end up eating the loss. And the credit bureaus who base their business on this number would be run out of business by competitors with better ideas.
At least, that is how it would work in my kooky libertarian world. But I guess everyone likes this setup better.

Re:That's not the worst of it.

[jonbryce]

Which is why they are attacking the endpoints ...

Re:That's not the worst of it.

[ardent99]

Eventually, the criminals are just going to start building a database with whatever information they can find.

This is really important. There are a lot of people who argue that if you have nothing to hide, you don't need to worry about the government tracking your information. This argument tends to have the implicit assumption that the government has your best interests at heart and wouldn't [fill in your worst abuse here]. However, even if you believe this, clearly it is not true about criminals. It is becoming rapidly evident that no organization, including the government, can stop data leaks when arbitrary means to get it are used. Employees and systems are fooled, phished, socially engineered, stolen from, and mess up on a regular and frequent basis. If your information gets out there, it can be gotten.

And if all the information gathered from small leaks in many places were accumulated and mined in one nefarious database, run by someone whose main purpose was to screw over as many people as possible, it would be a huge danger. There would be no "unsubscribe", or "do not call" or FOIA requests that can help you, and no morals to control behavior. Information cannot be revoked.

They only way to defend yourself is to create as many obstacles as possible to collecting and coalescing the information in the first place. Even people you trust can accidentally lose control of the information.

This is the best argument yet for why it *does* matter that you minimize what information is known about you, no matter who it is or for what purpose, no matter how benign it may seem.

Re:That's not the worst of it.

Neglected to mention that it perhaps would not completely be a bad thing if organized crime were contributing to F/OSS, after all they have similar interests in secure computing that the NSA has.

Re:That's not the worst of it.

[Cederic]

This is why the waiter never gets to touch my card, and hands the sole copy of the tape with its number on it directly to me. The copy he gets to put in the till hasn't got the number on it, the card reader is brought to my table, there are minimal opportunities here.

Ok, back in the real world.. half the restaurants still print the number all over the place, half the waiters take your card over to the machine instead of bringing the machine to you, the machine uses unencrypted wireless signals and there is documented evidence of modified card readers being used that just capture your card number and/or PIN electronically.

Which is why the payments industry are looking at introducing alternate payment mechanisms that address these vulnerabilities. It's still not an excuse for HMRC to lose your personal data.

Re:That's not the worst of it.

[dave562]

Exactly. At some point the data has to be decrypted to be consumed.

Re:That's not the worst of it.

[dave562]

If the programmer is low paid their work is being reviewed via the QA process. Now say what you will and laugh all you want about the idea of Microsoft QA, but I can assure you that the odds of one single programmer being bribed and inserting malicious code into a core library is pretty low.

Re:That's not the worst of it.

[dave562]

the machine uses unencrypted wireless signals

I call BS on this one. I've done a couple of POS implementations for restaurants and all they all used WPA encryption on the devices and the access points were setup to only accept connections from a pre-defined list of MAC addresses. Ya ya, MAC addresses can be spoofed but it is going to take an attacker a long time to hit a restaurant wireless network. The majority of restaurants still swipe the card at the hard wired terminal anyway. The restaurant industry has been dealing with confidential credit card information for a long time. The major POS vendors are up to date on what it takes to keep the data safe.

Re:That's not the worst of it.

[icydog]

A large bureaucratic organization like MSFT will have code reviews before anything can be committed. Sure, we all know that a clever programmer can obfuscate his code in such a way as to prevent it from being detected by a simple code review -- but what would he be doing in a low-paid job?

Also, Microsoft pays very well. An entry-level job pays anywhere from 1.5-4x the hourly rate of an investment banking job, depending on the bank's bonus that year.

Re:That's not the worst of it.

[NatasRevol]

That's the job of the high paid ones!

Re:That's not the worst of it.

[rifter]

If the programmer is low paid their work is being reviewed via the QA process. Now say what you will and laugh all you want about the idea of Microsoft QA, but I can assure you that the odds of one single programmer being bribed and inserting malicious code into a core library is pretty low.

More like, by the time his code makes it through QA/review/standard revisions, it will be incomprehensible compared to what it was originally and his clever little trojan won't work anymore :D.

We hope...

Re:That's not the worst of it.

[dave562]

Pretty much. I can see it now. "What's all of this highly optimized assembly code doing in here?! We need to re-write it in Visual Crap 2.0 so that it is fully Web 3.0 buzzword extensible and slow as molassas on a cold day if you try to run it on anything less than a quad-core Intel chip."

Dat's a nice browser yous got

[gnarlyhotep]

Be a shame if sumfin' were to happen to it, like.

Re:Dat's a nice browser yous got

[noidentity]

Dat's a nice browser yous got... Be a shame if sumfin' were to happen to it, like.

...oh, that's not runnin' Winders? Sorry to have bothered you.

Re:The minute that vulnerabilities were monitized.

[KublaiKhan]

Kinda leads to interesting thoughts...perhaps it may behoove certain of us to act as "night watchmen" for our various neighbourhoods, in the interest of keeping that sort of thing away from our systems.

I know I'm probably going to have to make another scan of my landlady's computer...she falls for half the stuff that comes through, even after my lectures on "DON'T CLICK IT" :-/

Lack of Security of any System on the 'Net

[RobBebop]

stealing the identities and controlling the computers of consumers at 'a rate never before seen on the Internet'.

5%, 25%, 50%? 90%? Are there estimates for the "rate never before seen" that users are having their personal information stolen?

And what personal information is it? To extend the old saying "If it is on the internet, it is public". Well, *all* information you store the computer that you access the internet suffers from this lack of security.

A truly secure user experience would be managing personal data on an unconnected system (or even a private network of systems) and then transferring data from there that needs to make it to the Internet via the Sneakernet. This is how the Department of Defense guarantees the security of Secure Facilities, and it is (unfortunately) the only way to guarantee the security of your own personal information.

But for systems that are on the 'Net, using an OS that doesn't hide/obfuscate fundamental security models is a plus. For example, it is easier for me to shutdown outgoing ports/services on Linux than on Windows.

As far as browser exploits... one can only hope that developers close off the attack vectors faster than they open new ones.

Re:Lack of Security of any System on the 'Net

[starfishsystems]

In fact, no security, of any kind, anywhere, is absolute.

For example, critical US Department of Defense secrets have ended up in the hands of adversaries, despite extreme efforts to safeguard these secrets. And the same is equally true, of course, for other nations. Thus there is demonstrably not a condition of absolute security, even at the most secure end of the scale.

But we're talking here not about military security and state espionage but about web browser vulnerabilities. For the most part the browsers in question are running on consumer grade systems which are not professionally managed. The perception of value and risk for a consumer product is at a much lower point on the scale relative to a hardened military installation. The same security principles apply, of course, but the tradeoffs are characteristically different.

I agree with your comment that it does not help to obscure the security tradeoffs on consumer systems. That encourages misperception. But it also doesn't help to talk about security as if it were all or nothing. That encourages another misperception.

It's not the case that all information is fully exposed if it's not fully secure. The middle ground is quite acceptable for many purposes. For example, safes are rated in terms of how much time is required to break into them, not whether they are or are not absolutely secure. A safe with a higher rating is bigger, heavier, and more expensive. So there is not an absolute solution but instead a range of solutions to suit different needs.

This works because the rating of safes is easy to understand. What we need in the computer industry is a similar objective rating for system security. And as Bruce Schneier points out, this is likely to come about not because of consumer demand directly, but as a result of pressure by the insurance industry.

Re:Lack of Security of any System on the 'Net

[RobBebop]

pressure by the insurance industry.

Snake oil? Software insurance? Can you actually sell this? Oh... sign me up.

1. Sell software insurance
2. ???
3. Don't validate claims because users had insecure protection

Oh, I'm going to go file a patent for this....

To reply seriously...

The perception of value and risk for a consumer product is at a much lower point on the scale relative to a hardened military installation.

To say that users don't store information that has high value to them to be kept private is silly. I was *very seriously* suggesting a non-networked computer to give security. This would eliminate the opportunity for a *software failure* to cause the data to become public. It is understood that a family-member could connect the machine to the internet or either accidently or maliciously copy the data to a machine on the network, but without the act of a human being... the data would be 100% secure.

I've been saying this for a while now

[rufusdufus]

I've been saying this for years now: antivirus and firewalls cannot protect from sophisticated attacks.

There is only one solution: executable code must be embedded in hardware read-only media and must be reloaded after every session. [today reloading a virtual machine is a good approximation, but this method will succumb under sufficiently sophisticated attack; it really needs to be built into nonflashable rom]

Nobody wants to hear this. I'm not exacty sure why; a little thought should lead anyone with some knowledge of operating systems and hacking to the same conclusion.

Its just going to get worse, with botnets, blackmail and scammers gaining more and more power until we remove the ability of malignent code to survive.

Re:I've been saying this for a while now

[hotdiggitydawg]

Its just going to get worse, with botnets, blackmail and scammers gaining more and more power until we remove the ability of malignent code to survive. Who gets to define the term "malignant code", and how? There's your barrier right there. One man's malignant code is another man's valid program (ref. Trusted Computing).

Re:I've been saying this for a while now

[durdur]

executable code must be embedded in hardware read-only media and must be reloaded after every session What happens when you need to update this executable code? How do you ensure it is only ever updated from a secure/reliable source?

Re:I've been saying this for a while now

[NotBorg]

There is only one solution: executable code must be embedded in hardware read-only media and must be reloaded after every session. [today reloading a virtual machine is a good approximation, but this method will succumb under sufficiently sophisticated attack; it really needs to be built into nonflashable rom]

Because there's no reason to update software, ever? I know that I get security updates all the time which I'm happy to say I didn't have to replace a chip to apply. The fact that you can't modify code doesn't make it perfect. Just because you can reload the same imperfect code doesn't mean you'd want to. Your reloading because it was compromised right? Just gonna hold that reset button down indefinitely?

Re:I've been saying this for a while now

[starfishsystems]

Nobody wants to hear this. I'm not exacty sure why

Could be because it's an extreme position? Or because knowledgeable system designers don't see that it solves anything? Just a thought.

Re:I've been saying this for a while now

[m50d]

That would defeat the entire purpose of a general-purpose computer. If that's what you really want out of a system, enjoy your WebTV

Re:I've been saying this for a while now

[TheRaven64]

There is only one solution: executable code must be embedded in hardware read-only media and must be reloaded after every session

Nobody wants to hear this. I'm not exacty sure why; Because you completely fail to understand the idea of a Von Neumann architecture machine. There is no semantic difference between data and executable code. Want to run a spreadsheet? Those formulae are all executable code. Want to run a web browser? What do you think all of that JavaScript is? What about word processor macros? If you limited a computer to running locked software, you would dramatically reduce its usefulness.

You are also completely ignoring the fact that data persists even if programs don't, and it just takes one arbitrary code execution on malformed data vulnerability to send all of your data over the network.

New form of stick-up?

[DoofusOfDeath]

Hand me your cache!

(Sorry - for humor I go for quantity, not quality.)

Re:New form of stick-up?

[Punko]

Actually, I laughed out loud when I saw the tag "sleepingwiththephishes" now THAT's funny. But hand over your cache is good, too.

Re:The minute that vulnerabilities were monitized.

[gnick]

perhaps it may behoove certain of us to act as "night watchmen" for our various neighbourhoods That's an interesting idea and may function just fine at a land-lady level. But, for some reason, my bank balked at the idea of granting me admin access to their server so that I could make sure that my personal info was secure.

Kick Windows off the Internet

[EllynGeek]

I did read the actual report, all 56 pages of it. As usual, Windows' total lack of security guarantees that any random blackhat with a minimum of skill can exploit it. Go ahead and mod me Troll again, you lameass Microsoft-fanboi moderators, but it won't change what the report says- Windows is the problem.

Re:Kick Windows off the Internet

[gnick]

Windows is the problem. I'm certainly no MS fanboy, I don't consider your original post a Troll, and I won't even argue your 90% speculation. But I can't blame Windows's security for this. When you have 76% of the market share, it doesn't seem unreasonable that the blackhats will target you 90% of the time. So, unless their security is head-and-shoulders better than the competition, they will still have the most breaches.

Re:Kick Windows off the Internet

[RiffRafff]

Criminals don't steal the most abundant ("popular") car; they steal the easiest. Yet another car analogy, but it works here. Windows' security is knees-and-ankles below the competition. They get targeted first. Otherwise you'd see the Web getting broken everyday, since it's mostly run on Apache with non-Windows servers. IIS and its ilk still get targeted first. Or so has been my observation.

Re:Kick Windows off the Internet

[EllynGeek]

The old "more market share is why Windows is more attacked" has been so thoroughly debunked you should be ashamed of yourself for parroting it yet again. Please- educate yourself; you reveal that you know little about operating systems when you say that. It's just not true. Well, it's partly true- with the perfect combination of easily exploited and dominant market share, it's a perfect recipe for organized crime and blackhats of all varieties to run rampant. If an open-source Unix-type operating system were dominant, we would not be seeing all the spam, malware, and botnets that feast unhindered on Windows. The Internet would be a lot safer and a lot less polluted.

The fact is that Windows' sieve-like architecture welcomes malware into the guts of the operating system, while hindering users at every turn, and tight integration with applications and server stacks guarantees that the most peripheral exploits will find a red carpet into the core of the operating system. This is not true of Unix-type operating systems, which are inherently far more secure. Windows' dominant market share ensures that the damage- billions of dollars wasted on extra bandwidth, "security" applications, abuse desks, fraud and identity theft, and so forth- is pandemic. Windows is impossible to secure. It will take a ground-up rewrite to fix it.

There are fundamental differences in culture- in the Unix world, or at least in the open source part of it (Linux, FreeBSD, OpenBSD, NetBSD, OpenSolaris), vulnerabilities are not denied or hidden, but are out in the open and dealt with. It's been proven over and over that openness = stronger security. Two good examples are OpenSSH and OpenSSL. Both are open source, both are used universally in all kinds of applications, such as secure remote sessions and Web applications. Their code is wide open and they are thoroughly documented. Anyone can study their inner workings. Are they successfully exploited? No.

This article is a good start for understanding the fundamental architectural differences: http://www.theregister.co.uk/security/security_report_windows_vs_linux/

Re:Kick Windows off the Internet

[SCHecklerX]

[the majority of] Windows users are the problem.

Fixed that for ya.

Re:Kick Windows off the Internet

[BForrester]

Parent is completely wrong.

Look up any list of "top" stolen cars. See: Civic, Camry, Accord. These are all abundant, popular vehicles with standard theft-deterrent devices, but that can easily be sold or cannibalized for parts on the black market. Nobody steals the easy vehicles such as old beaters, tractors, and idling delivery vans because they have little market demand, hence value. Virtual crime is not concerned with "resale" potential -- the car analogy is broken.

Re:Kick Windows off the Internet

[gnick]

Yet another car analogy, but it works here. Stealing cars and exploiting computer exploits are completely different situations. Imagine a city where 76% of the population drove Hondas. The other 24% drive a variety of cars of roughly the same value. Each make of car has a different security system. Now, if you can figure out how to get around Honda's security system, 76% of the cars in the city are yours for the taking. If you figure out how to get around Buick's security system, you have your choice of the handful of Buicks driving around.

Despite EllynGeek's impassioned opinion to the contrary posted below, I have no problem believing that 90% of the criminals in the city would focus on Honda.

Re:Kick Windows off the Internet

[gnick]

The old "more market share is why Windows is more attacked" has been so thoroughly debunked you should be ashamed of yourself for parroting it yet again. Please- educate yourself; you reveal that you know little about operating systems when you say that. Wow, that was kind of nasty... Did my post somehow make it sound like I thought Windows was as secure as its competitors? The superior security is one of the many reasons I've got Slackware installed.

That said, Windows is attacked much more than the other OS's. It's more popular and, in general, its users are less computer-savvy. If I were a blackhat, Windows would certainly be my choice target for a variety of reasons - Even if it was on an even-footing security-wise with its competitors. I'm certainly on board that market share is not the only reason that Windows is targeted more than others - Not remotely. But, if you have some evidence that "totally debunks" the idea that market share and attack target are correlated, I'd love to see it.

Re:Kick Windows off the Internet

[gnick]

with 76% market share, *reasonable* would be blackhats targeting you 76% of the time. One bank has good security and $24,000 on hand. Another bank has poor security and $76,000 on hand. 90% of bank robbers will decide to rob the latter. The other 10% are either idiots or have ulterior motives for picking the former.

Re:Kick Windows off the Internet

[EllynGeek]

My apologies- I have this twitch whenever I hear "it's because of market share!" Sorry!

Re:Kick Windows off the Internet

[thejynxed]

If I were a blackhat, servers running Unix-like OSes would certainly be my choice target for a variety of reasons. In fact, I would dare say most spam/spyware/virus outfits are nothing more than the low-end of the criminal scale. The REAL blackhat/criminal organizations want the servers, and most servers run Unix or a Unix-like OS...

That's where the real $$$ is at kids. I would venture a guess and suggest that they use their low-end spam/spyware/pr0n operations (and all the misery that entails for end-users and sysadmins) to fund the attacks against their REAL targets - the servers and the enormous wealth of data accessible via the same.

Re:Kick Windows off the Internet

[gnick]

No sweat - I have the same twitch when somebody tells me to "educate myself". I understand the knee-jerk "OMG - This guy might think that that Windows is as secure as [Insert ANYTHING else here]!?!" reaction. I have the same thing IRL and it kicks up more often than it should. Cheers.

Re:Kick Windows off the Internet

[TheRaven64]

Go for both. If you hijack a UNIX server running a reputable web site (e.g. news.bbc.co.uk, with millions of daily visitors), you can use it to install your client-side malware and get copies of online banking details and so on.

You know...

[Guppy06]

"In 2006, only a small percentage of attackers employed camouflaging techniques, but this number soared to 80 percent during the first half of 2007."

If they're going to hose my Windows boxen and install spurious applications of dubious intent, I find that I prefer if they camouflage their attempts so as not to bother me with constant popups from the system tray telling me to install their spyware to get rid of spyware.

Re:The minute that vulnerabilities were monitized.

[KublaiKhan]

Well, start small, anyway. The bank can afford to make itself secure, but if every computer in the neighbourhood is sending out Russian viagra ads, your bandwidth will suffer--so doing some basic cleaning and firewalling will benefit you bandwidthwise.

Hell, if you're feeling ambitious, you could set up some kind of neighbourhood LAN and get folks to chip in towards a big fat pipe, if you can prove they'll have a safer connection... ;-p

Come to think of it...does anyone know of any successful examples of a "co-op" pseudo-ISP like that that already exists?

Re:I wonder what the profits look like.

[J0nne]

That particular domain was basically taken over by the recording industry (the real story is longer), although I guess one could say that's organised crime too.

This does not surprise me at all...

[Panaqqa]

...after all, it was only a matter of time once rootkit source code was published for anyone to grab. From that time onwards, true stealth malware was possible to create without needing to be a security researcher. Combine the ease of integrating someone else's rootkit code into a payload with a vigorous open market for Windows vulnerability information ($25,000 gets you a brand new zero-day exploit) and you reach the situation we have today.

Some people believe the largest botnets out there are ones built with the Storm Worm or other similar exploits. My bet would be that there are plenty larger out there, undetectable because they hide behind rootkits and don't do stupid stuff like turn the box into a spam cannon. And for people who think that the C&C (Command and Control) would be detected, think again: if a rootkit can conceal a file then it can also conceal a process, a named pipe, an interrupt handler, you name it.

Re:This does not surprise me at all...

[Charbox]

It can not, however, conceal unexplained activity in a virtualization box, which is standard practice in honeypot security research (and yes the experts can detect when code tries to tell if it's runing on a VM.) It also can't conceal unexplained packets in and out, which is how most of the botnets are discovered -- in the wild, not honeypots.

Got plugins?

[jschottm]

The web is not just HTML at this point. Both QuickTime and RealPlayer have had notable exploits in the past few months. Acrobat and Flash have had major security holes as well. Just relying on the fact that you're using Firefox doesn't mean that you're not vulnerable.

Re:Got plugins?

[TFGeditor]

The summary and article said "browsers."

Re:Got plugins?

[bob_herrick]

Last time I looked, RealPlayer had an embedded browser. Has that changed?

Redundancy..

[DigitAl56K]

controlling the computers of consumers at 'a rate never before seen on the Internet' Before remote control of computers starting occurring on the Internet the majority of hacks came from psychics, thus explaining the ever popular tinfoil hat.

It _is_ true that the NES is impervious to attack.

[northstarlarry]

Every time I close my text editor and then realize that I meant to type a few more things, I have to take the ROM cartridge out of my computer, put it back in, wait for the volume to be checked, then for the executable to be moved into faster storage (so swapping doesn't take half a minute), and only then do I get to wait for it to be copied into main memory and run? Or is the interim storage too insecure?

How many ROM slots am I supposed to have on my desktop machine? Three, maybe four? So, let's see, I can listen to music, browse the web, have a chat program open, and if I've got a sweet computer, I can also use my calculator application! If I can find all the cartridges on my desk!

Software updates (er, hardware updates?) can now only be obtained conveniently at your nearest MicroCenter or Fry's. F/OSS software^Whardware^Wsecure-read-only-executable updates can be easily obtained by mailing a SAS, padded envelope to the appropriate developer (who now needs a commercial source of ROMs, and a machine to print them, along with the time to do so), who will happily mail you back your ROM just as soon as he or she gets around to it, for a small fee to cover the cost of the media (oops, I guess it's just OSS now!). Old copies of softw^Whardwa^Wwhatever can be conveniently recycled at almost no cost to the user by returning them to the developer.

Do embedded video players count as "executable code"? Congratulations, YouTube is now NetFlix. Welcome back, text-only Web pages. Goodbye, everything that makes the Web useful and interesting.

And you don't understand why nobody thinks it's a good idea?

Re:The minute that vulnerabilities were monitized.

[gnick]

Hmmm... Your ideas intrigue me and I'd like to subscribe to your newsletter. But, the only implementations I know of were at a municipal level rather than a neighborhood organization.

... which is why it's a good idea to ...

[WD]

... secure your web browser. Many browsers are not secure out of the box, which puts you at risk of attack.

Re:... which is why it's a good idea to ...

[g8oz]

Another good idea with Internet Explorer:

Go to Tools => Internet Options => Advanced => Disable "Enable third party browser extensions".

I've found it prevents quite a bit of spyware from running even if it has installed itself, and is a quick help for complaining friends & family who want you to do something about their slow computers.

Re:The minute that vulnerabilities were monitized.

[KublaiKhan]

If you had one house in the neighbourhood that could get a fibre connection, you could hook up a router, put wireless access points in the various houses, and route the traffic that way.

Or do it wired, o'course, but that might be a bit more complicated, and probably really would only be practical for an apartment building.

Re:The minute that vulnerabilities were monitized.

[angus_rg]

Now that Moe Green is out of the Tropicana, what else would we expect them to do?

Re:Beware the"funny" moderation in Organized Crime

[Tetsujin]

"Joke" is to "Anonymous Coward" as "Anvil" is to...

A) Hammer
B) Forged Steel
C) Wile E. Coyote...

How vulnerable am I?

[Repton]

Consider this hypothetical situation: I'm running Windows XP with no firewall and no antivirus. I'm on broadband and my ADSL modem/router does NAT with no port-forwarding rules set up. I'm fully patched and run out-of-the-box firefox. I don't run executables from untrusted sources, I understand how to treat email attachments, and I'm smart enough not to get caught by phishing.

How vulnerable am I? How likely is it that I will get compromised?

Does the answer change if I'm running fully-patched IE7?

Danger Will Robinson!

[tacokill]

blackmail and scammers gaining more and more power until we remove the ability of malignent code to survive

And therein lies the problem. Who decides what is malignent and what is not?

If we implement the "hard coded" solution you propose, then by default, we give ALL of the coding power to the companies that do that hard coding. Talk about lock-in! But if you leave it "open" and allow amateur's programs to run, then you have the malignancy problem you mention. The whole problem is that we do not have an automated way to determine "good" code from "bad" code. And that's not going to change because it is a subjective assessment.

Classic catch-22. Your most hated rootkit is my most prized Administrative tool. So who is right?

And In Turn...

[flyneye]

In turn this could fuel a new breed of cyber"bounty hunter" who could hunt down and physically sanction the criminals(nothing to do with the law of course)even ones presently behind bars could be made an example of.
It could fall under the concept of avocation or even sport.
Hey,if you can think of it,someone will do it.(LOL, now we're all thinkin' it,so let's give it some energy and watch for that /. article on the first moron to "sleep with the phishes)

People See Plugins as Browser Components

[reallocate]

QuickTime, Real Player, Acrobat, Flash, etc., etc., are all technologies that most people experience inside their browser. They're all just more stuff you need to download to get your browser to work. If the web was just HTML, it would be pretty boring. And Slashdot wouldn't exist.

Re:People See Plugins as Browser Components

[rifter]

QuickTime, Real Player, Acrobat, Flash, etc., etc., are all technologies that most people experience inside their browser. They're all just more stuff you need to download to get your browser to work. If the web was just HTML, it would be pretty boring. And Slashdot wouldn't exist.

Sure slashdot would exist. That was one of the better things slash allowed. Since the pages are served staticly after being modified on the server by a perl cgi script... or does your html-only world eliminate cgi as well?

Re:People See Plugins as Browser Components

[reallocate]

>>"... does your html-only world eliminate cgi as well?"

Yes. People want executable content, they want to be able to "do stuff" inside their browser. CGI and Perl can't deliver that.

Re:People See Plugins as Browser Components

[drinkypoo]

Actually, it should be possible to write a streaming animated GIF, until you cause some sort of memory allocation error...

Re:The minute that vulnerabilities were monitized.

[ViennaThornton]

There is no longer an easy way to protect yourself, since using an all cash system is impractical these days. Otherwise, I'd suggest just using all cash ;)

Are you mad?

[PinkyDead]

This is organized crime we're dealing with here. When you piss them off they'll send some hired goons around to your house to rearrange your finances.

Re:The minute that vulnerabilities were monitized.

[upside]

I know of one, in Helsinki. Volunteer run non-profit association. Provides connectivity to individual houses and apartments around the area. I've been thinking of such an effort in my parts. It does require a bunch of tech-oriented people to keep it running.