The Coming Botnet Stock Exchange

Trailrunner7 writes "Robert Hansen, a security researcher and CEO of SecTheory, has been gleaning intelligence from professional attackers in recent months, having a series of off-the-record conversations with spammers and malicious hackers in an effort to gain insight into their tactics, mindset and motivation. 'He's not the type to hack randomly, he's only interested in targeted attacks with big payouts. Well, the more I thought about it the more I thought that this is a very solvable problem for bad guys. There are already other types of bad guys who do things like spam, steal credentials and DDoS. For that to work they need a botnet with thousands or millions of machines. The chances of a million machine botnet having compromised at least one machine within a target of interest is relatively high.' Hansen's solution to the hacker's problem provides a glimpse into a business model we might see in the not-too-distant future. It's an evolutionary version of the botnet-for-hire or malware-as-a-service model that's taken off in recent years. In Hansen's model, an attacker looking to infiltrate a specific network would not spend weeks throwing resources against machines in that network, looking for a weak spot and potentially raising the suspicion of the company's security team. Instead, he would contact a botmaster and give him a laundry list of the machines or IP addresses he's interested in compromising. If the botmaster already has his hooks into the network, the customer could then buy access directly into the network rather than spending his own time and resources trying to get in."

Honeypot?

[dhanson865]

Yeah, interesting concept but the fear would be that the botnet owner would respond by saying knock, knock, the FBI is here (substitute the agency you think applies if the FBI isn't your cup of tea).

If you do something yourself you know all the players. If you pay someone to do it you don't know if you are walking into a trap.

disclaimer: I'm not too worried about this as I don't plan on taking either route.

Re:Honeypot?

[dch24]

Business does require a certain amount of trust, but it's amazing how money talks. For example, the conversation might go like this:

"Uh, I don't trust you but I want to search your botnet. Strictly for research purposes."
"I'm trustworthy. I control such-and-such handle over at such-and-such forum. I'm going to post '(some message)' in 5 minutes -- that proves it. But my botnet is expensive. Can you pay?"
"Yeah, here's a paypal gift to prove I have funds."
"Ok, I'm listening. What do you want?"
(And the negotiation goes on from there.)

This is an Apple-like vertical integration of services (but for botnets). The same guy who has "owned" the hardware offers "other services" on his "platform." I couldn't keep a straight face as I typed that.

I don't really think this is a "stock exchange."

Re:Honeypot?

This particular problem already exists - and yet there are online exchanges to buy/swap/sell credit card information, bank account info etc. The risk is sold off - so if a guy has 1000 bank accounts (+pin + atm card number etc) with an average of $10,000 on each of them, he sells it to someone who will actually do the hard work at say $20 per account.

Your argument would be the same at the exchanges too... but they exist and thrive. So, a botnet selling cloud computing power is not far fetched.

Re:Honeypot?

[fuzzyfuzzyfungus]

There is a notable risk for the botnet owner, as well.

If I am a security guy for some entity that I fear may contain compromised systems, and potentially be the target of more focused attacks, I can use this hypothetical "botnet stock exchange" to verify my suspicions. "So, I'm interested in buying access to hosts within OWN_IP_BLOCK, anybody have some?" If no, breath slightly easier. If yes, I now know which of my hosts need serious inspection and rebuilding.

Depending on exactly how the exchange is run, basic checks(ie. botnet or no botnet, not necessarily specific hosts) might well be cheap or even free. You don't have much of a market if people can't ask "Is anybody selling X?" and receive a useful answer. More specific answers would probably cost you, as would the services of the sorts of grey hats who work for white hats but can talk to black hats; but there are certainly circumstances where it could be cost effective.

Re:Honeypot?

[QuestionsNotAnswers]

> I'm interested in buying access to hosts within OWN_IP_BLOCK, anybody have some?

Can this be mitigated? Is it realistic? Will you know how it was compromised?

A primary means black hats use to measure trust for purchases is repeat sales to the same buyer (for differing needs) and maybe some illegal activity e.g. paid via illegal means (to filter out anyone that is constrained to only legal means). Passing those tests is difficult (although possible by professional white-hat-consultants, however white hats want to remain undetected by the black hats so have constraints).

It is also dependent on the price you are willing to pay. Obviously you need to pay the botnet herder more than the sum of: worth of the machine to them, cost of the risk to them due to transaction, cost of sales, their normal profit margin.

If you offer a little, all you will find is bottom feeders and liars - i.e. information value is low.

If you offer a lot, you are giving an incentive to get your network compromised.

Re:Honeypot?

[waspleg]

this has been done for years, it's just not money that changes hands it's other hacked accounts/access/etc, irc is where i saw it, i'm sure there are other venues as well.

Bad title

[Galestar]

How is this a "stock exchange"?

Re:Bad title

[K.+S.+Kyosuke]

I guess they are going to set up their office at Firewall Street.

Re:Bad title

Both involve trusting your money to less than scrupulous people to do all the work for you in hopes that you'll get back more than you put in with no rational reason to back up this hope.

Actually I take that back. The hackers will at least worry about their reputation.

Re:Bad title

[eviloverlordx]

Just wait. In a few years, they'll be applying for a bailout, too.

Re:Bad title

[hatemonger]

Agreed. My first thought after reading the title was a large network of machines making microsecond stock purchases and sales with other machines, hoping that its algorithms are good enough to turn a profit. Some senior British official proposed a small fee per stock transaction to prevent that from happening, claiming that it would hurt the "buy and hold" stock purchasers, but I hadn't heard anything for a while. Samsonite? I was way off!

Re:Bad title

It's also just an idea someone put out. There's now evidence it's "Coming". We've all been bitching about fraudulent Slashdot titles for years. I don't think they'll ever stop with the hype.

Re:Bad title

[Athanasius]

Real Stock Exchange:

As best as I understand it that is pretty close to how real stock exchanges work. You don't necessarily sell shares just by saying you want to, someone else has to be prepared to buy them at the price you're asking. Nor can you buy them without someone offering to sell. The stock exchange keeps tracks of these offers and provides a mechanism to resolve them (OK, so there are stock brokers involved too, but this basic concept is how it works).

Botnet/Compromised Host Stock Exchange:

The botnet owner has 'bought' stock in the target machines by compromising them. He can offer to sell for at least a minimum price. The other party to the transaction offers to 'buy' a share of this stock at up to a given price. The 'stock market' resolves these offers by putting the two parties in touch where the buy maximum is at least the sell minimum price.

Re:Bad title

[Galestar]

Stock Market: Company releases shares of itself to investors in order to raise capital. Investors purchase these shares as "equity" into that company.

This: Hackers sell access to compromised computers.

This is more like your typical shady arms dealer than a stock market. Heck, this is even more like your local 7-11 than it is like a stock market - you buy computers rather than milk and cigarettes.

Robert Hansen has access

[BadAnalogyGuy]

Is SecTheory a harbor for these malicious users? Why does Hansen have such deep contacts?

How to Pay?

[MrTripps]

So you have just hired a bot master. How do you pay them? You know they are dirty hackers, so it isn't like you would just give them your credit card number or Pay Pal account. Maybe the guy just wakes up and finds a crate of Jolt and Hot Pockets on his doorstep.

Re:How to Pay?

[Soilworker]

Obviously those leave traces all over the place, cash only.

Re:How to Pay?

[snowraver1]

Western Union. "From anywhere, to anyone".

Re:How to Pay?

This is one of those things you learn from RTFAing over the years. They use anonymizing proxies, just like they do for everything else: http://www.wired.com/science/discoveries/news/2006/12/72278

Re:How to Pay?

[v1]

I can hook you up with an acquaintance in Nigeria that's very good with money transfers aquaintenance, let me know.

Re:How to Pay?

[Aradorn]

'OK, if I decide to do this, I'm gonna need an unlimited supply of Xena tapes, and Hot Pockets'.

Re:How to Pay?

[foldingstock]

Original line, which was also used in previews/commercials, was: "OK, if I decide to do this, I'm gonna need an unlimited supply of Star Trek tapes, and Hot Pockets."

It was changed to "Xena" for the actual film.

Re:How to Pay?

[__aaoyac5342]

Why not just use cash? You know like the classic brief case of greenbacks in a shady area of town.

Re:How to Pay?

[St.Creed]

That would require physical access to the botnet-master (risky) or knowledge of the physical whereabouts of said person (risky again).

No, I'd much rather set up a paypal account with a fake firm in Tonga, linked to another fake firm on the Cayman Isles. It's apparently impressively difficult to get any information out of Tonga regarding business owners, whatever their background. The same goes for the Cayman Isles. And you could always route it again through Tonga, for double fun. And you wouldn't even have to leave your house. And the best news: there are already providers for it.

Re:How to Pay?

[vaguestalker]

The site you refer to doesn't seem to even provide a Tonga service. I also notice they pretend to be a country in themselves when marketing their Casino license service. Regretfully this field also has a lot of "black hats" operating within it, not necessarily these guys, yet the indications are there. When shopping for services like that its always better to look at vendors that operate from a slightly better regulated jurisdiction, like for example Cyprus. Here is an example http://www.internetincorporate.com/ of company formation professionals that are trustworthy. Tread lightly in the murky tax haven shallows.

buzzword bingo

[Thud457]

Cloud Computing FTW!!!

Another question.

[khasim]

He's not the type to hack randomly, he's only interested in targeted attacks with big payouts.

Yeah, whatever. If I was an evil cracker I'd be damn sure to randomly target machines so I could use them for my targeted attacks. And I'd want a lot of them so I could bounce the attack through them to make it more difficult to find me.

If anything, if this guy was such a great cracker/hacker, wouldn't he already know about the percentages? Cracking any single specific machine is difficult. Cracking any random machine in a specific block would be much easier.

Then you'd use that machine (those machines) to more easily target the specific machine.

Re:Another question.

[Securityemo]

The basic principle of botnet herding obviously involves spamming botnet trojans through whatever vectors available, but it's the utilization of these resources that is discussed. Imagine what havoc a dedicated person could cause through, let's say, insider trading?

Be careful what you wish for.

[khasim]

Why not hold microsoft responible for their own products too?

And what happens to FOSS developers who accidentally leave a bug in their code?

Re:Be careful what you wish for.

[cynyr]

non commercial product. if it was dual licensed even then the contract could state that the software comes as is.

Re:Be careful what you wish for.

[icebraining]

The obligation doesn't come from the product, it comes from the fact they ask you to pay for it.

Re:Be careful what you wish for.

[Lunix+Nutcase]

Maybe you should read the Windows EULA?

Microsoft and its suppliers provide the Software and support services (if any) AS IS AND WITH ALL FAULTS, and hereby disclaim all other warranties and conditions, whether express, implied or statutory, including, but not limited to, any (if any) implied warranties, duties or conditions of merchantability, of fitness for a particular purpose, of reliability or availability, of accuracy or completeness of responses, of results, of workmanlike effort, of lack of viruses, and of lack of negligence, all with regard to the Software, and the provision of or failure to provide support or other services, information, software, and related content through the Software or otherwise arising out of the use of the Software. ALSO, THERE IS NO WARRANTY OR CONDITION OF TITLE, QUIET ENJOYMENT, QUIET POSSESSION, CORRESPONDENCE TO DESCRIPTION OR NON-INFRINGEMENT WITH REGARD TO THE SOFTWARE.

Re:Be careful what you wish for.

[Lunix+Nutcase]

Yes, such a disclaimer of warranty is in the Windows EULA that you agree to when using the product and has been since the beginning.

Re:Be careful what you wish for.

[Lunix+Nutcase]

If it were that simple that one was free of an implied warranty by being non-commercial there would be no point in putting a disclaimer of warranty in the licenses of FOSS software. The issue, though, isn't as clear as you would like it to seem.

Re:Be careful what you wish for.

[icebraining]

Oh, I'm not talking about what it is, I'm talking about what it should be, legally. And EULAs are not above the law. In fact, EULAs (presented after the sale, as in this case) are not even valid in some countries, like Germany.

Re:I can't believe we are still discussing this ..

[Galestar]

You have oversimplified the issue. The root causes are;
1. Windows / [insert other exploitable program here (ie. Flash/Adobe PDF reader)]
2. Stupid users

If your user downloads and runs malware, there's almost nothing your OS can do to stop it. The only way to stop it is to force application signing... but who really wants that?

So tell me, which OS would you choose that could stop all malware even with stupid users?

Survey

[ardeez]

Can somebody do a survey of all of these infected machines and check what OS
version they're running?

If there's a growing number of Vista and Win 7 machines then someone should
get back to MS and let them know whatever they're doing ain't working.

With all of these security initiatives I'd have thought botnets would have been a shrinking
problem - not something that was a growth industry as this article seems to indicate.

Re:Survey

[Volante3192]

If there's a growing number of Vista and Win 7 machines then someone should
get back to MS and let them know whatever they're doing ain't working.

OS gains popularity, users on said OS want to see their dancing bunnies.

An operating system is only as secure as the user behind it. I'd guarentee most of the people around here could run a secure, stable Windows system AND be productive on it. But these are the same people who know to surf with adblock, noscript, a firewall and NOT go looking for dancing bunnies.

Re:Survey

[Agarax]

The problem isn't Windows, it's users that are willing to run free-porn.exe that is linked in facebook/email/whatever.

Any operating system is only as secure as the user operating it.

A properly configured Windows 7 machine with a solid antivirus, firewall, and a user who paid attention during 15-20 minutes of information assurance training would be a real bitch to exploit.

Re:I can't believe we are still discussing this ..

[NoSleepDemon]

Windows is no more secure than Linux, or whatever hippie OS you're into. Any OS as popular as Windows is going to get the crap hacked out of it, the only reason Linux (assuming you're into that, but substitute it for whatever you like) is 'more secure' is because your grandmother doesn't open .exe attachments on it.

Why not use a botnet

[linzeal]

To trade stocks in the first place? Buy some penny stocks/junk bonds whatever and get/steal/buy enough logins to various brokerages than just pump the price at an opportune time, take the money and run.

Re:Why not use a botnet

[zero0ne]

My guess is that the organized cartels are already doing this.

Except that the second you cash out and it is discovered that the stock was inflated by 100,000 hacked e-trade accounts, you are the number one suspect.

Re:Why not use a botnet

Sadly the latency would make then uncompetitive against Wall Street. They already have bots doing trading.

Besides, do you seriously think you can out-crook the financial sector? These are people that can literally sell you nothing for a billion dollars and get away with it.

Re:Why not use a botnet

[Danimoth]

This happens on a rather frequent basis. I work on a trading desk which sees some retail customer order flow. Every now and then fraudulent pump and dump stocks come to our attention. Its usually not too hard to figure out that some order for 5x the average daily volume in a penny stock is fraudulent. Not to hard to track down the customer to give them a call and find out that they had no idea their account was broken into. A much more effective way is to send the orders a few hundred or thousand shares at a time and have them auto executed by a machine. Usually they trace the attacks back to Eastern Bloc countries. I know Hungry was pretty popular last year.

Re:I can't believe we are still discussing this ..

[Volante3192]

The solution, is obvious too: use another operating system.

And when the windows l^Husers switch to another operating system and want to see their dancing bunnies, then what?

crime

[Max_W]

I've been spending more and more time talking to blackhats lately. Frankly, I think they're fascinating people

They are criminals who steal from people. Fascinating people? How sick.

Glamorizing thieves and moral creeps is sending a wrong message especially to young people. If it were up to me I would lock this Robert Hansen into a jail together with his "blackhats" thieves and thrown away the key. This is where he and they belong.

Re:crime

[Volante3192]

"Mister Spock, you misunderstand us. We can be against him and admire him all at the same time."
"Illogical."
"Totally."

--Space Seed

Re:crime

[icebraining]

Be sure to lock up all those teachers who make children's plays based on Robin Hood.

Re:crime

It is counter-productive for a security researcher to not be fascinated by these people. Your moralizing the issue only holds back any meaningful gathering of knowledge that can be used to mitigate the harm that blackhat hackers can cause to legitimate people. There is a time and place for us to objectively learn more about their culture, technology, and economy for our own well being.

Re:crime

[azmodean+1]

Probably a troll, but I'll bite.

1. Regardless of your knee-jerk reaction to being interested in how "bad people" think, they ARE fascinating, and often very fruitful to study.
2. Assuming you didn't RTFA, I don't see anywhere where he glamorizes black hats.
3. This is akin to a cop going undercover to find out how criminals operate, you think they should be tossed in jail too?

Security research REQUIRES you to think like the "bad guys", it just comes with the territory.

Re:crime

[Max_W]

a cop going undercover to find out how criminals operate

This is a cop, who has an official, documented undercover task, but this man is a civilian associating with criminals on his own will. It is his duty to report the crime in progress.

Otherwise any gang member could say: "I am a sociologist. I was studying the way murderers and thieves operate and think. This is why I was on the crime scene."

Probably you are lucky and were not a victim of these bot-nets and trojans' writers. But these are just about the same crime tools as picklock, gun, ax, etc. And these people are robbers, who just use some other tools.

Your fascination with them is unjustified. It is like a person, who likes to knit, would be fascinated by a criminal, who, say, strangle people by a cord.

One can well be a good talented programmer and not be fascinated by moral freaks, who use programming to commit crime.

Re:crime

[archangel9]

How in the world can you try and objectify others' fascination?

One can well be a good talented programmer and be fascinated by pretty much anything.

Re:crime

[azmodean+1]

a cop going undercover to find out how criminals operate

This is a cop, who has an official, documented undercover task, but this man is a civilian associating with criminals on his own will. It is his duty to report the crime in progress.

Otherwise any gang member could say: "I am a sociologist. I was studying the way murderers and thieves operate and think. This is why I was on the crime scene."

Where does Hansen say he was "present at the crime scene"? I assume his contacts didn't give him any incriminating details, so what crimes in progress does he have a duty to report? If he did participate in any crimes, then he is obviously culpable. Otherwise it is a similar situation to a reporter interviewing a criminal, though again a security researcher is lacking the special protections reporters get for that sort of thing.

Probably you are lucky and were not a victim of these bot-nets and trojans' writers. But these are just about the same crime tools as picklock, gun, ax, etc. And these people are robbers, who just use some other tools.

No, I've had systems compromised quite a few times before I knew any better, and had to clean up after many people who have had their systems compromised as well. Although if you mean I haven't been a "serious victim" I guess you are correct, though that wouldn't change my attitude about it. Not studying the problem is a sure-fire way to remain vulnerable to it.

Your fascination with them is unjustified. It is like a person, who likes to knit, would be fascinated by a criminal, who, say, strangle people by a cord.

Let's see, my wife, who happens to knit, IS fascinated by forensic investigation documentaries, partially for the forensic part, but partially for the pathology of the criminal involved. I guess it runs in the family ;)

But seriously, my point here is that interest does not equate with belief. Just because someone studies criminals (of any kind, I don't make a distinction between "regular" thieves and botnet operators) it doesn't mean that they approve of the crime.

One can well be a good talented programmer and not be fascinated by moral freaks, who use programming to commit crime.

Definitely, but I'm skeptical how good a security researcher you can be without being at least a little interested.

Re:crime

[Securityemo]

I find your moral reasoning lacking. What, you think that he'l "turn to the dark side"? That professional mercenary botnet/malware distributors actually care about "professional admiration" and will up their ante because of it? What is it that makes fascination with evil/amoral people inherently "wrong"?

Re:crime

[Securityemo]

Look, I hate to break it to you - "security researchers" are basically crackers with morals who, for obvious reasons, would like to live in civilized society without being ostracized. A lot of "them" go "a tad bit" neurotic because of the inherent contradictions in this, but that's how it is. And if you're incapable of feeling more than one emotion towards a thing, concept or person, you're severely emotionally underdeveloped.

Re:crime

[Securityemo]

"The head of the Department of Post-Mortem Communications shrugged and sighed. ‘Look,’ he said, as if weary of having to explain so often, and sighed again. ‘I am supposed to be the bad person as defined by university statute, right? I am supposed to listen at doors. Supposed to dabble in the black arts. I’ve got the skull ring. I’ve got the staff with the silver skull on it—’ ‘And a joke-shop mask?’ said Glenda. ‘Quite serviceable as a matter of fact,’ said Hix, haughtily. ‘Rather more frightening than the original thing and washable, which is always a consideration in this department. Anyway, the Archchancellor was down here weeks ago, after the same stuff you are, I very much imagine.’"

Re:crime

[hoelk]

Your fascination with them is unjustified. It is like a person, who likes to knit, would be fascinated by a criminal, who, say, strangle people by a cord.

it's more like if you like to knit, and is fascinated by someone who knits mind-controlling socks and gets millions of people to wear them on a day-by-day basis without them noticing it.

Re:I can't believe we are still discussing this ..

[atomic777]

It's not quite that simple. Proving that a product as complex as a consumer-level GUI operating system is bug-free and secure is in general an undecideable problem.

We can't even prove that our critical, lower-level embedded software (aerospace, health-related, etc) is bug-free, and this is why there is substantially more effort put into ensuring that such software is of high quality. For example there are extensive regulations on how exhaustively testing must be done on various components of an aviation-related piece of software, depending on its criticality

Try enforcing something like this on Windows, and even monopolistic Microsoft's fabled profit margins would disappear -- it would be the push that crowd-sourced OSS software would need to acheive a real foothold in the desktop market.

Re:I can't believe we are still discussing this ..

[DCstewieG]

It would be interesting if enough unsophisticated users who unknowingly run bots decided that something like the iPad is "good enough" for them and they got rid of their PC. I say would be because it's not going to happen.

But to answer your questions, very casual users, and iPhone OS.

Why not use

the comment field for your comment and the subject line for your subject?

Hansen's model?

[Ironhandx]

He's reposting word for word what happens on a daily basis and its his model? Is anyone else slightly confused by this?

Though TFA does at least mention "This model makes sense on a number of levels and may well have been implemented already."

Theres even underground exchanges between the various botnet holders to some extent. If botnet controller A does not have enough(or any) compromised machines related to a target in one of his customers shopping lists he'll go to botnet controller B, C, or d-z in order to find what he needs. Obviously they don't trust each other much but there is some level of cooperation.

Even targeted hacks will often try the same methods as used to spread botnets in the first place, if you're in that line of business and there are somewhat reliable sources of compromised machines out there that will get you what you need faster and thus a) reduce your own work load and headaches and b) end up with a happier customer for a prompt job completion. (aka they'll think you're the shit and come back again if they need something else, every business out there, legal or otherwise, needs return customers)

Come on, these guys are doing highly illegal, highly technical, very high problem solving ability oriented tasks for a living. You think they haven't been doing this for, oh, over a decade now? Thats about how dated my information is... I think its a safe bet to assume its still going on.

Re:I can't believe we are still discussing this ..

[cynyr]

even app signing wouldn't work, it would ahve to be open enough to allow small outfits to produce code, and would need to allow dev to test run their code prior to the app signing. Both of those are holes, whats to stop a hacker from making a legit app and then using the same cert on both it and the malware?

*nix without admin rights, and their home dir mounted no_exec with backup taken every 6 hours, admined by dell/HP/etc. No way to install a new app, and no way to run something from the home dir, problem solved.

Re:I can't believe we are still discussing this ..

[Volante3192]

*nix without admin rights, and their home dir mounted no_exec with backup taken every 6 hours, admined by dell/HP/etc. No way to install a new app, and no way to run something from the home dir, problem solved.

I guess we need to add the criteria of 'user needs to be productive'.

You can do that in Windows as well, by the way. GPOs and NTFS permissions are wonderful little toys.

I can already see the ticker

[g0bshiTe]

HX Stocks rose today, as they aquired Zues.

Re:I can't believe we are still discussing this ..

[socsoc]

I'd be up for disconnecting them from the matrix.

Penny stocks? Bah!

[SlappyBastard]

It's already being done on fractions of a cent in arbitrage between the closes and opens of various stock and currency markets. All legitimate trades, mind you.

Go back and look at the Societe Generale incident from 2008. And that guy was just working with Excel macros!!

Re:That's the shittiest business model EVER!

SlappyBastard wrote:

All wealth is created in arbitrage.

That's absolute nonsense (unless you're going to use a definition of 'wealth' gamed to mean 'something created in arbitrage'). It's easily proved wrong by simple thought experiments. If I make a chair, I am wealthier by one chair. It doesn't matter whether or not anyone else is willing to pay for the chair. You may be able to argue that if I need something I can't make for myself that the financial system I have to rely on to get has arbitrage as an integral component. I might have to agree with that simply because barter of goods and professional services is taxable by the IRS, but the IRS will only accept money, not goods and services to pay the subsequent taxes.

Re:I can't believe we are still discussing this ..

[Lunix+Nutcase]

We are making Toyota responsible for all the incidents, and possible future incidents with their acceleration issues, aren't we? Why not hold microsoft responible for their own products too?

You mean other than the fact that the EULA you agree to when using Windows says that Microsoft disclaims all warranties and Toyota has no such contractual agreement with purchasers of their car? And before you go on about being able to ignore that and claiming EULAs are unenforceable (which is a common slashdot meme but it is wrong) then you would have to say that any such disclaimers in FOSS software would be null and void too thus opening them up to being held responsible for any bugs in their software.

Reality check

[darku]

The concept seems sound and trades are not uncommon in the cracker world but this is not the problem. - "How do you know that your system is secure?" - "Aaaa, I have an antivirus and broadband router that is handling my Internet connection. That should keep me safe" - "Ok. And why are there all those ports opened on your router?" - "Well, I'm forwarding everything through it in order to be able to play _______" (Insert game name here) - "I see. Ok." An antivirus and a firewall will not help you if you are stupid enough to open the latest XXX e-mail that knocks on the door of your never-updated Outlook Express or if your password is 123456.

Re:I can't believe we are still discussing this ..

[icebraining]

The repository model would not scale to the level that Windows exists in. The users would not put up with it.

Why?

Re:I can't believe we are still discussing this ..

[mrsurb]

We can't even prove that our critical, lower-level embedded software (aerospace, health-related, etc) is bug-free

Car braking software...

My new BotNet...

[MasterOfGoingFaster]

Hey, I just launched a new BotNet on 127.0.0.1 so if anyone wants to
****** CARRIER LOST *******

false equivalency

[Medievalist]

But these are just about the same crime tools as picklock, gun, ax, etc. And these people are robbers, who just use some other tools.

Whoa, whoa, hold on there a minute!

The botnet is "just about the same" as a stolen gun, a stolen axe, stolen lockpicks, etc. Generic tools have no inherent moral dimension; lockpicks can be used to save a baby locked in a burning building, an axe can be used to build a house for a homeless person, a gun can be used to defend against criminals or to hunt for food.

A tool only has the moral dimensions the tool user imposes upon it by the circumstances of its creation, ownership and use.

The botnets are created from unwillingly compelled zombies; they exist as a continuous theft of resources from the zombie owners. Therefore they are not "just about the same" as my gun, my axe, or a set of lock picks.

Re:false equivalency

[Max_W]

Good point. I agree with you that it is a continuous theft.

Re:I can't believe we are still discussing this ..

[icebraining]

Mostly because developers (including large companies) would refuse to distribute their software via such a model

Why? They can set up their own repositories, and the software would warn user about updates. They don't have to rely on distros' repositories.

It's true that they would have to make multiple packages, but that's not exactly astrophysics, and can easily be automated in the build process. And the repository itself is usually little more than an HTTP server with a particular directory layout.