How Viruses Evolve Into All-Purpose Malware

← Back to Stories (view on slashdot.org)

How Viruses Evolve Into All-Purpose Malware

Posted by timothy on Friday May 28, 2010 @02:55PM from the increments-of-evil dept.

KingofGnG writes "Computer threats are continuously evolving, and some malicious codes are a problem difficult to tackle because of their inherent complexity and an intelligent design capable of constantly putting under pressure security companies. A remarkable 'intelligent' threat is for instance Sality, the 'new generation' file virus that according to Symantec has practically turned into an 'all-in-one' malware incorporating botnet-like functionalities as well."

117 comments

Min score:

Reason:

Sort:

the benefits of open source... by Michael+Kristopeit · 2010-05-28 14:58 · Score: 0, Troll

when exploit code is made public then all other malware authors can add it to their payload
1. Re:the benefits of open source... by Anonymous Coward · 2010-05-28 16:53 · Score: 0, Troll
  
  I have yet to see a macro virus for Open Office that did not originate in the desire to allow MS office macros to work.
  And God damn there are just SO MANY linux viruses, fuck man, those virus writers have access to the KERNEL SOURCE! That's like the HOLY FIZJUCKING GRAIL MAN!
  So the FACT that there are 1/100 of the viruses for OPEN SOURCE programs that there are for close source programs dosen't even enter your tiny little closed mind does it?
  Nothing worse than a willful idiot.
2. Re:the benefits of open source... by pankajmay · 2010-05-28 16:54 · Score: 5, Insightful
  
  Face it, thanks to Open Sores we all get to suffer more malware and more powerful malware. If even Microsoft with all their programmers has a hell of a time keeping up with patches and all of that, how are average users going to stand a chance? Tell me again why closed source is such a horrible thing??
  Because closed source is equivalent to security through obscurity paradigm -- which never works and worse still - is illusory. You are only asking to live in your la-la land when the reality is different.
  Malicious people are going to develop such sophisticated attacks regardless of whether software is closed-source or open-source.
  
  Making such exploits open-source lets us know what sort of channels are exploited. This leads to a better understanding of the weaknesses in the underlying protocol. This is where you have improved software that won't fall down like a house of cards when kicked at the shins.
  
  With closed source -- you are trusting what? An obscure programmer who is under a deadline to push something out the door??
  
  You probably are not even aware of how many times Open Sourcing has saved your a$$. Just because you pretend the problem doesn't exist, does not mean that your ignorance is the truth.
3. Re:the benefits of open source... by Anonymous Coward · 2010-05-28 18:24 · Score: 0
  
  You said it and will probably get modded Troll for that too because it goes against the groupthink.
  It may go against the groupthink. It definitely goes against fact. Pesky fact. Oh well.
4. Re:the benefits of open source... by Opportunist · 2010-05-28 18:58 · Score: 3, Insightful
  
  While not really an MS fanboy, the main reason why there's so little malware for OSS is because there's so little market. Malware is just like any software: They want to target a market as big as possible. Why are there so few commercial games for Linux? Same reason.
  Besides, it's not anymore which system is more secure. The main question today is, which system has the bigger amount of completely ignorant users who click anything promising him dancing bunnies. And you can have the tightest, most restrictive security system in place, if the user has the root password and hands it to everything promising him a dancing bunny, the security is swiss cheese. Windows, Linux, MacOS or whatever, if the user is a doofus, the system is easily compromised.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
5. Re:the benefits of open source... by KibibyteBrain · 2010-05-28 20:28 · Score: 1
  
  Quite frankly, having the source doesn't help exploits much, or at least nearly as much as it helps in correcting exploits. The reason for this is most of the common methods for injecting code into privileged apps are extremely complex and rely on several different parts of the code to be in a certain key state to take place. So save from 1) being a literal genius or 2) having a ton of experience in knowing where security problems in coding tend to pop up(and even here, you will miss most), code review doesn't help much in finding actual exploits.(although it can be instrumental in determining if the architecture of the code is exploit prone, so again, better for the whitehats than blackhats)
  
  The easier way to look for exploits now is to automate the app and then find ways to make it crash or otherwise misbehave/not behave as intended. If you can find a way to make it crash, especially segfault etc, you have found a bug that is likely to be exploitable. Many security researchers and firms have clusters of automated programs crunching night and day trying to find ways to make them crash/trigger unusually high exceptions/looking for other signs of misbehavior.
  
  Another good way is to look for certain patterns. For example, a .net app that makes lots of disorganized unsafe calls to unmanaged code is a good shot(probably a newb or incompetent programmer(disorganized) treading on dangerous ground), and you can monitor all of this just fine if not more easily sans-source, with standard debugging tools for the OS you are on(doesn't matter which).
6. Re:the benefits of open source... by JoeMerchant · 2010-05-29 00:47 · Score: 1
  
  Security through obscurity does work much better than open source (when measured in the number of man hours required to break a system).
  
  The problem comes in that obscurity lends a sense of invulnerability, which is false, and the designers of obscure systems don't try as hard as the open ones.
  
  When I am charged with designing a system that is "secure enough," obscurity adds a layer of protection, I try to ensure that there are no embarrassing holes, but at the end of it all, any system, open or closed, is vulnerable unless you control the hardware and monitor it. No matter how clever or strong a lock is, it can always be bypassed.
7. Re:the benefits of open source... by Runaway1956 · 2010-05-29 02:12 · Score: 1
  
  Always, the market share argument. And, it's more than half bullshit.
  There are little geeky dweebs living in their mother's basements all over this world, who would LOVE TO HAVE BRAGGING RIGHTS. Just being known as "The guy who reliable hacked Linux" would be a wet dream come true for them.
  And, they haven't done it yet.
  Yeah, market share. But, real hackers aren't interested in low hurdles, they are looking at the pole vault.
  Take your market share argument, roll it up and smoke it. That'a about all it's good for.
  
  --
  "Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
8. Re:the benefits of open source... by zwei2stein · 2010-05-29 02:56 · Score: 1
  
  Two points:
  * OS security is depended on white hats finding exploits faster than black hats. That is not guaranteed feature and shifts it back to security thou obscurity, even if obscure is in plain sight.
  * Most people download OS binaries and not source that they examine and compile themselves. Binary can of course contain evil stuff. There were few issues with forks of p2p clients that included malware but which had sanitized source online. Again, obscurity and illusion of peer-reviewed software.
  Remember: ALL security is throught obscurity (you hope attacker does not have knowledge of how to crack system) and is illusion (because you are never guaranteed that he does not have it).
  basically, same la-la-la-land of having secure system.
  
  --
  -- Technology for the sake of technology is as pathetic as eschewing technology because it's technology.
9. Re:the benefits of open source... by smpoole7 · 2010-05-29 04:49 · Score: 1
  
  "the main reason why there's so little malware for OSS is because there's so little market ..."
  There's some truth to that. But speaking as someone who actively developed and consulted on anti-virus software back in the heyday of MS-DOS 5 and 6.22, I'll share my opinion. I freely admit that things have changed over the years, and that my knowledge is old. But I feel that the basic problems and principles are still the same.
  1. Basic philosophies: Microsoft, and thus Windows, basically started on individual, personal computers. The system then "grew up" over the years. 'Nix, by contrast, has its roots in multi-user, multi-tasking environments that were more secure to start with. So ... from bootup to desktop, Unix is more secure BY INHERENT DESIGN. Windows has to *add* security to an inherently *insecure,* wide-open system. That's a critical distinction that many people miss.
  2. I argued back in the DOS era that it was possible to stop most malware. My partner and I wrote a three-tiered system: (1), an "innoculator" that did integrity checking on "injected" executables; (2) a behavior blocker that literally patched the DOS kernel (deep inside!), but which granted a pass to any executable that passed a CRC test of an injected file, thus preventing false alarms; (3), an MBR with self-checking boot code. At the time (mid-80's), I could not find a virus that could get around it and infect the system.
  I don't say that to boast, but to make a point: if a couple of ordinary guys could write something that effective, why couldn't the Big Boys? It was an argument I made all the time back then, and I still make it now.
  People want scanners, even though they are REACTIVE, and not PRO-active. They like the positive assurance of running the scanner and seeing the happy-face, "your system is clean!" dialog. Our system, by contrast, never said a word as long as the system was uninfected. No one wanted it.
  I could say a lot more (and I may later, if this thread is still living), but I've got to head to work.
  
  --
  Cogito, igitur comedam pizza.
10. Re:the benefits of open source... by Opportunist · 2010-05-29 04:49 · Score: 2, Insightful
  
  Care to back it up? I have here a rather extensive amount of samples per day flooding me, more than I can sensibly analyze away (fortunately 99% are just variants of something I already have). And nearly all of them rely on social engineering at some point. And all of them are for Windows.
  These asshats writing malware are not "real hackers". They're businessmen, plain and simple. They don't give a fuck whether they compromise your machine or the one of the doofus next to you. Actually, the doofus is more interesting because he probably cares less about security than you do and hands him more info.
  Of course, cracking the shell of a Linux box (pardon the pun) wins you the holy grail of hackerdom, and you gain cred by the truckload. But that's not the point here. Nobody writing malware cares for fame. Quite the opposite.
  It's a business. Take a look at RBN, as a prime example of how it's done. Do you think these guys care about hacker cred? Do you think they aim high at the pole vault to "prove" something? They couldn't give less of a fuck about your opinion about them. They do it for the money. Plain and simple.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
11. Re:the benefits of open source... by Opportunist · 2010-05-29 05:18 · Score: 1
  
  Very true. I'd love to chat with you and see how the biz grew. I've only spent the last 10 years in AV development/analysis (so I didn't really do any through research for those good ol' TSR malware and the file infectors are also few and far between these days), so I'm pretty ignorant of the "old days". Your argument is pretty solid and works for DOS. It does not, cannot, for Windows for a simple reason: Multitasking, and very different ways to hide malware.
  Back in the DOS days, and please infom me if I'm wrong, there was a rather limited amount of ways where you could sensibly put your malware if you wanted it to run "constantly". On top of my head, I can only think of two: MBR and TSR programs. Now, MBRs are easily inoculated: You don't change them often, it's sensible to simply lock it. Most mainboard back then offered that option already, so that was easy to plug. TSRs also needed to be started, and in DOS there were rather few ways to start TSRs (reliably, not relying on the user to execute an infected file): Config or Autoexec. Anything else?
  TSRs don't exist anymore. You simply have "normal" programs running next to the other programs you're using. And for some reason MS considered it necessary to allow the starting of those programs in a few dozen different places. Aside of the Autorun folder and the Run Registry keys, you could fake it being a shell extension (also allows you to neatly ensure your malware starts before any AV kit would). Or you could make it a driver and slip it into the non-PnP driver section. A neat way to get a rootkit into the system. Or a few others (I guess you understand that I don't want this to turn into "Malware writing 101"). There is literally so much crap running on the average machine that nobody really ever notices just WHAT gets started. Anyone interested in checking out what his Windows machine is loading may take a look at autoruns (Google is your friend), and that's not even all of it!
  Patching the kernel is not a good idea either. First of all, MS does not really like it if you do it. And the next time you're patching Windows all hell might break lose. Either the patch fails because MS doesn't recognize your version. Or they patch it and your kernel patch breaks. Or, the most likely version, the system is trashed.
  I think a suitable analogy is that DOS was a nice little cot where you had a door and maybe a window (if you cared to make one), and putting a guard there was pretty easy. Plus, if there was someone in your little room with you that didn't belong there, you could quickly spot him because, hey, there's nowhere really to hide. Windows today is a king's castle with about as many doors, windows and balconies, and all of them offer a burglar access to it. Plus it's so friggin' huge that he can spend a whole day stealing crap and you wouldn't even know he's here because you'll never encounter him while ambling through your huge mansion.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
12. Re:the benefits of open source... by drsmithy · 2010-05-29 09:04 · Score: 1
  
  This is false. Windows NT was built from the ground up as a "multi-user, multi-tasking environment". With a design superior to the traditional UNIX security model.
  2. I argued back in the DOS era that it was possible to stop most malware. My partner and I wrote a three-tiered system: (1), an "innoculator" that did integrity checking on "injected" executables; (2) a behavior blocker that literally patched the DOS kernel (deep inside!), but which granted a pass to any executable that passed a CRC test of an injected file, thus preventing false alarms; (3), an MBR with self-checking boot code. At the time (mid-80's), I could not find a virus that could get around it and infect the system.
  How does your system prevent end users willingly infecting themselves (probably 90% of contemporary malware infections). How is the CRC whitelist both protected from modification, but also kept current ?
  The malware landscape today is vastly different to it was then.
13. Re:the benefits of open source... by drsmithy · 2010-05-29 09:06 · Score: 1
  
  With closed source -- you are trusting what? An obscure programmer who is under a deadline to push something out the door??
  As opposed to an obscure programmer who has no interest in fixing a problem because it's boring ?
14. Re:the benefits of open source... by drsmithy · 2010-05-29 09:11 · Score: 1
  
  There are little geeky dweebs living in their mother's basements all over this world, who would LOVE TO HAVE BRAGGING RIGHTS. Just being known as "The guy who reliable hacked Linux" would be a wet dream come true for them.
  Most of the time it isn't the OS being "hacked", it's the user.
  And, they haven't done it yet.
  Yes they have. There are/have been hundreds - thousands - of exploits for Linux and Linux software. The difference isn't the existence or non-existence of exploits, it's the user demographic. This is particularly true today when most "exploits" are social engineering, not software flaws or bugs.
15. Re:the benefits of open source... by Opportunist · 2010-05-29 11:27 · Score: 1
  
  This is false. Windows NT was built from the ground up as a "multi-user, multi-tasking environment". With a design superior to the traditional UNIX security model.
  In theory, yes. And up to NT4.0 it might even have been (forgive me, my knowledge of the NT line before 2k is rather fuzzy as it has never really been the mainstream line for malware... probably for just that reason).
  With the merger of the 9x line with the NT line in 2k, we got, security-wise, the worst of both worlds. In other words, essentially, the 9x security. For reasons of compatibility. And it's not even MS's fault. If you want to blame that security blunder on someone, blame it on the third party software writers who were lazy enough to assume they have root rights and full access to anything, who scribbled their crap keys into the machine rather than the user tree, who dumped DLLs into the system directory and who simply assumed they have full read/write privileges everywhere, from the windows- to the program files directory.
  That problem still sticks to our boots like dog shit up to Win7. Only that now MS made it convenient to switch between limited and full access rights. But only between this. All and nothing. There is still no sensible "limited" privileges system that the user can easily choose when he only wants to install a program... but then again, try to find a game these days that doesn't want to crap a driver for its protection system into your non-PNP driver list.
  But even if Win7 had the security and fine grained privileges system that it maybe even has: What Joe Randomuser could possibly make use of it? I'm already happy if he grasps the idea of different privileges at all, and when I somehow get it through his skull that clicking "allow" is something he should reserve to program installations... but even then, he cannot make that decision! And that's the core problem, as you have pointed out anyway (and I guess we're in agreement here): The user is the problem. Not the system.
  And no, you cannot give an unclued user "enough information to make an informed decision". He doesn't even understand what you're saying! And he is not willing to listen. He will not read pages after pages of text that could probably even tell him whether or not it would be a good decision to click yes or no. After years of cryptic, nonsensical error messages, the user is no longer willing to read them. Anyone who ever worked in tech support will tell you: Users close error messages without even reading them. "What was the error message?" "Dunno, I closed it, didn't make sense to me so I didn't read it". Error messages make people feel dumb because they cannot understand them. And years of error messages that didn't make any sense to them taught users that they do not want to read system popups. They make you feel dumb, so close them as fast as you can. That's the message the user gets from them.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
16. Re:the benefits of open source... by drsmithy · 2010-05-29 14:05 · Score: 1
  
  With the merger of the 9x line with the NT line in 2k, we got, security-wise, the worst of both worlds.
  There was no "merger" outside of the marketing department. The security model of NT remains the same today as it was at its release (albeit with a few UI tweaks like UAC). Your premise is broken. Broken third party applications are not something that the OS or OS vendor can control.
  The rest of your post essentially boils down to what I've always said - you can't secure a system where an ignorant user has full control.
17. Re:the benefits of open source... by Runaway1956 · 2010-05-29 15:30 · Score: 1
  
  I thought we were talking about working exploits. Things that work. Of course there are thousands of exploits. They are found, they are fixed, they are forgotten. Unlike Windows. Having an exploit doesn't get you into a box, after all.
  Whatever. You guys keep trotting out the tired argument that it's all about market share. Linux' market share keeps growing, but the malware market share for Linux remains near zero.
  
  --
  "Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
18. Re:the benefits of open source... by pankajmay · 2010-05-29 16:16 · Score: 1
  
  As opposed to an obscure programmer who has no interest in fixing a problem because it's boring ?
  Nope not really. With open source - you will usually have someone out there who needs to plug that hole because they have a genuine need for it for some reason. They migrate their solution upstream, where it ends up benefiting all.
  
  True, open source also results in abandoned works. But the very fact that you have the code available means that if you take interest, you can do anything with it (or even own and direct its development) as opposed to a black-box that is closed-source. You just have a binary and you are stuck with it, if your programmer abandons it.
  
  Open source is not always a polished alternative - something that closed source can always do better. But Open Source is always a fundamentally superior alternative -- because knowledge only grows when shared and incorporated with other's opinions.
  
  This is one of the reasons why academia seems to embrace Open Source widely - because no where else is the value of collaboration more recognized.
19. Re:the benefits of open source... by drsmithy · 2010-05-29 17:30 · Score: 1
  
  Nope not really.
  Yep, really. Or, at least, as frequently as your stereotype is also true. You do realise the majority of widely-used open source code is written by the same kinds of people writing closed source code, right ? People being paid to do it by companies like Red Hat ?
20. Re:the benefits of open source... by drsmithy · 2010-05-29 18:57 · Score: 1
  
  I thought we were talking about working exploits. Things that work. Of course there are thousands of exploits. They are found, they are fixed, they are forgotten. Unlike Windows. Having an exploit doesn't get you into a box, after all.
  Windows exploits are fixed regularly and frequently.
  Whatever. You guys keep trotting out the tired argument that it's all about market share. Linux' market share keeps growing, but the malware market share for Linux remains near zero.
  It's primarily about user demographic, infection rates and consequences. "Market share" is just a simpler way of capturing those things. Most "exploits" do not leverage unpatched software bugs or flaws.
21. Re:the benefits of open source... by helios17 · 2010-05-30 02:40 · Score: 1
  
  Agreed...the market share argument has been more than destroyed. It boils down to the three little pigs...the third house stood because of its construction integrity. File system engineering and permissions make Linux more secure...Runaway nailed it. Vista tried to get its users to deal with admin rights and users squealed like the first two little pigs. When the PWN 2 OWN competition ended in 2008, Linux remained untouched. The hacker involved stated that if he had "another 20 minutes" The laptop running Ubuntu 7.10 would have fallen. Well, it's been two years. I haven't heard a word from the people who made the twenty minute claim. Seems they would have announced that breakthrough. They haven't and they won't... However, there is no guarding against a stupid computer user...any OS is insecure when the user gives rights to a script or app. Yeah, the market share argument gets old and most of us just roll our eyes when it is trotted out. Sometimes it just doesn't seem worth it to correct another person who refuses to think a matter through.
  
  --
  Windows assumes you are an idiot...Linux demands proof.
22. Re:the benefits of open source... by Anonymous Coward · 2010-05-30 05:00 · Score: 0
  
  With the large server market share that linux has I don't follow the argument
Not as annoying to analyze as it could have been. by Anonymous Coward · 2010-05-28 15:04 · Score: 0

Imagine if the first version of Blaster was infected by the author with W32/Similie.
You lost me... by Simulant · 2010-05-28 15:11 · Score: 5, Insightful

... at "according to Symantec."
1. Re:You lost me... by Opportunist · 2010-05-28 18:26 · Score: 1
  
  I was already puzzled at "new generation".
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
2. Re:You lost me... by DarkOx · 2010-05-28 23:23 · Score: 0
  
  you dont trust your root ca
  
  --
  Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
3. Re:You lost me... by Dracophile · 2010-05-29 16:02 · Score: 1
  
  I didn't even get that far. I got to "intelligent design" and thought this was a story about mind viruses.
  
  --
  Athy, athier, athiest.
Sometimes I think apple has it right vetting s/w by Aargau · 2010-05-28 15:15 · Score: 2, Interesting

Our immune system has an advantage over virii and bacteria due to our greater cell specialization and intelligent response. The problem with modern botnet malware is that the infecting agent can actually be more intelligent and reactive than the host it's infecting.
Software alone wont ever solve this problem. by Mattpw · 2010-05-28 15:16 · Score: 5, Insightful

Call me defeatist but I believe there is no way the whitehats can out software manoeuvre the blackhats with software only solutions. The increasing complexity of modern systems ensures that the security holes will only grow not diminish. But maybe the next software "update" will solve all our problems this time?... The only permanent solution I can see is mass deployment of airgapped two factor tokens specifically for transaction authentication not generic OTP which the trojans are bypassing. This is the only security that I can guarantee what I am authenticating by looking at a airgapped device. I find it increasingly difficult to justify the performance loss for running anti malware software for the ever diminishing protection offered.
1. Re:Software alone wont ever solve this problem. by phantomcircuit · 2010-05-28 15:25 · Score: 1
  
  Sure there is. Whitelists, but nobody has the patience to do it.
2. Re:Software alone wont ever solve this problem. by SanityInAnarchy · 2010-05-28 15:42 · Score: 1
  
  Call me defeatist but I believe there is no way the whitehats can out software manoeuvre the blackhats with software only solutions.
  So what do you suggest? Hardware?
  
  The only permanent solution I can see is mass deployment of airgapped two factor tokens specifically for transaction authentication not generic OTP which the trojans are bypassing.
  Oh. I was actually being sarcastic.
  This won't work. The biggest reason it won't is convenience. Say one credit card company requires such a device, and another promises that they'll be liable for any damages from fraud. Which would you go to? If they both make that promise, what does the consumer gain from the device?
  And even this would be spectacularly vulnerable, if you can't trust the host system through which you're accessing whatever you're accessing.
  
  I find it increasingly difficult to justify the performance loss for running anti malware software for the ever diminishing protection offered.
  I don't run it at all. It turns out the remedy is much simpler, saner, and cheaper than what you're suggesting. Just educate.
  
  --
  Don't thank God, thank a doctor!
3. Re:Software alone wont ever solve this problem. by Anonymous Coward · 2010-05-28 15:43 · Score: 0
  
  You're wrong! According to Steve Jobs, the Macintosh OS is a fundamentally superior technology that is immune to viruses.
4. Re:Software alone wont ever solve this problem. by Alan+Shutko · 2010-05-28 15:44 · Score: 2, Insightful
  
  Apple does. Look at the App Store.
5. Re:Software alone wont ever solve this problem. by testghost · 2010-05-28 15:48 · Score: 0
  
  There is only one company that has solved the malware issue, and that is Apple. In no other area can one download and use applications but not have to worry about viruses, Trojans, or malware. This is why Microsoft also wants to make their phones only allowing apps from their store. With a proper gatekeeper in place, Trojans don't stand a chance, and people can do their work free of worry. Of course, this doesn't cover people who deliberately compromise their security of their devices by jailbreaking, but Apple will eventually make their phones as hackproof as the PS3s so this will be a nonissue soon.
6. Re:Software alone wont ever solve this problem. by Anonymous Coward · 2010-05-28 15:55 · Score: 0
  
  Call me defeatist but I believe there is no way the whitehats can out software manoeuvre the blackhats with software only solutions.
  Solve the halting problem, and the hackers lose.
7. Re:Software alone wont ever solve this problem. by Mattpw · 2010-05-28 16:07 · Score: 1
  
  Oh. I was actually being sarcastic.
  Dont be scarcastic, didnt you know its the lowest form of wit.
  
  This won't work. The biggest reason it won't is convenience. Say one credit card company requires such a device, and another promises that they'll be liable for any damages from fraud. Which would you go to?
  
  You have only given one reason and its not a security one. I would go with the one which offered me the best security and convenience, you didnt consider the inconvenience caused by having your accounts looted which the liability doesnt cover.
  
  If they both make that promise, what does the consumer gain from the device?
  You do realise that shifting the liability onto the banks doesnt actually prevent the theft?. The users still pay for it one way or another and its not simply a matter of cost or inconvenience to the public but also the lack of faith in a inherently superior and more cost effective method, ie banking online instead of going to a branch.
  
  And even this would be spectacularly vulnerable, if you can't trust the host system through which you're accessing whatever you're accessing.
  Please define your vulnerability. If you are talking about the banks servers themselves being attacked I believe it is very very rare and it would be good if you could provide a reference. The vast majority of trojan cyber crime which is the issue here is performed against the users not the banks backend servers.
8. Re:Software alone wont ever solve this problem. by Actually,+I+do+RTFA · 2010-05-28 16:19 · Score: 1
  
  You do realise[sic] that shifting the liability onto the banks doesnt actually prevent the theft?
  You do realize that the banks don't have liability in fraud, the merchant does? And distributions of the cost of fraud are spread equally among those who use the crazy-hard system, and those who do not? And the banks actually make money off fraud by telling the merchant to fuck off and fining them for accepting a bogus credit card?
  
  You have only given one reason and its not a security one
  People are the biggest security risk of all; laziness is a security hole.
  
  --
  Your ad here. Ask me how!
9. Re:Software alone wont ever solve this problem. by daveime · 2010-05-28 16:24 · Score: 2, Insightful
  
  Yes, but Apple haven't solved the problem, they've merely given the user one avenue that is "probably" safer.
  Anyone who has a jailbroken phone can essentially install software from anywhere, thus making them JUST as vulnerable as any Windows or Nix user.
  You might as well say Apple has cured the problem of AIDs by not allowing people to have sex.
10. Re:Software alone wont ever solve this problem. by Anonymous Coward · 2010-05-28 16:35 · Score: 1, Insightful
  
  The problem is that the same solution that can address the Trojan problem will make DRM impossible to get around, like trusted computing, curtained memory, etc.
  Instead, what I'd like to see would be a standard for secondary access that is accepted by everyone across the board using an offline token system. The token system would allow someone to install an app on their phone (be it a WM device, Android, iPhone, or similar), or be a separate keyfob. Basically like what Blizzard offers for secondary authentication, but with the ability to support multiple devices (so if I don't take my phone with me, the authenticator on my keychain is usable), and is supported universally, even for machine authorizations.
  Even better would be a ZTIC like system. Perform a major action on your bank account, you get prompted to confirm on your phone or keyfob with details on what was done. Same with changing a password on a social networking account, or altering substantially one's privacy or credit card settings. This way, the computer can be compromised as hell, and there will be damage, but it will be limited.
11. Re:Software alone wont ever solve this problem. by Anonymous Coward · 2010-05-28 16:41 · Score: 0
  
  You are talking about Windows. They have this huge problem: almost not a single programmer can see more than a few percent of the code. They cannot possibly adapt as fast as the free software. GNU/Linux family, precisely because of its many branches, each with its unique security policy, will never have that hard of a time.
12. Re:Software alone wont ever solve this problem. by Mattpw · 2010-05-28 16:44 · Score: 1
  
  You are right the merchants are getting hit probably just as hard as the banks with credit card fraud, I was thinking more of trojans like Zeus etc which are stealing users banking logins and then filtering money out of peoples accounts to their mules. This liability would or should fall squarely on the banks. The reality is we are probably all getting hit indirectly by this problem and it only seems to grow. Laziness can never be solved, agreed.
13. Re:Software alone wont ever solve this problem. by Anonymous Coward · 2010-05-28 16:46 · Score: 0
  
  Solve the halting problem, and the hackers lose.
  
  You fail Computer Science forever.
14. Re:Software alone wont ever solve this problem. by martin-boundary · 2010-05-28 16:55 · Score: 1
  
  A whitelist merely outsources the need for security from the system which uses the whitelist to the system(s) which is(are) whitelisted.
  If A only allows B to connect to its services, then A implicitly relies on B not getting hacked. But if B is hacked, then that hacker can pass through A's whitelist by pretending to be B.
  The only time A gains security this way is if B's security is greater than A (more or less).
15. Re:Software alone wont ever solve this problem. by Anonymous Coward · 2010-05-28 17:06 · Score: 1, Interesting
  
  Ohh give me a break. Apple is just fortunate enough not be getting attacked right now. GNU/Linux land is much better prepared than Apple's ecosystem because unlike with Apple on the desktop you haven't got systems where users are installing software from non-repository sources. In both MS Windows and on Mac you do though. In both MS Windows and on Mac there is no system to update everything either. It is left up to applications to do the updating and then users are forced to ok every application. My MOM who is completely illiterate has figured out how to accept to security updates on GNU/Linux and she easily know not to install MS Windows software- even though she potentially could. On GNU/Linux you have a system to update every peace of software generally speaking so there just isn't a security threat like on MS Windows and Mac to even take advantage of. Everything that is going to be a core target for attack is protected well on GNU/Linux. Unlike GNU/Linux if the Mac market share grows it will become a victim even if less so than Microsoft to spyware, viruses, and the ilks. If GNU/Linux market share grows it'll be much much less likely to see serious penetration even on novice users machines by malicious attackers.
16. Re:Software alone wont ever solve this problem. by morgan_greywolf · 2010-05-28 17:28 · Score: 3, Insightful
  
  Apple is just fortunate enough not be getting attacked right now. GNU/Linux land is much better prepared than Apple's ecosystem because unlike with Apple on the desktop you haven't got systems where users are installing software from non-repository sources.
  One word: PPAs.
  Seriously. Think about it. Ubuntu PPAs are not vetted by Canonical or the Ubuntu Dev Team, and could, potentially, be used to spread Linux viruses.
  Of course, someone has to go through the work of adding it to the package manager, but Ubuntu as made this relatively painless by 'add-apt-repository'.
  
  --
  My blog
17. Re:Software alone wont ever solve this problem. by SanityInAnarchy · 2010-05-28 17:59 · Score: 1
  
  You have only given one reason and its not a security one.
  Actually, it is. Any security system that ignores human factors will not work when used by humans, or won't be used by humans, rendering it useless.
  
  You do realise that shifting the liability onto the banks doesnt actually prevent the theft?
  No, but it places the responsibility on those who are most necessary for resolution. If the liability was entirely on the consumer, banks and merchants would have little incentive to improve security.
  Now, I would much rather have a bit more shifted back to the consumer, so they paid a bit more attention to stuff like this, but that's tricky -- I have to think that the competing companies which assumed more responsibility (directly or through merchants) would get more business.
  
  Please define your vulnerability. If you are talking about the banks servers themselves being attacked...
  No, I'm talking about the terminal the users are connecting to -- most likely their home PC, running Windows, right?
  A trojan is actually way less than what's required, but let's go with that. All it has to do is intercept communication between the user and the bank, thus allowing them to intercept the transaction the user is trying to do, and instead perform a completely different transaction.
  The only way that wouldn't work is if the entire scope of the transaction is on the little "air-gapped" device, which would be both inconvenient and inflexible.
  
  --
  Don't thank God, thank a doctor!
18. Re:Software alone wont ever solve this problem. by SanityInAnarchy · 2010-05-28 18:01 · Score: 1
  
  No one said laziness can never be solved, only that it's a security hole, which was exactly my point: Any security system has to take laziness into account. A good example of this is the Linux repository system, which has (somewhat) been adopted by Apple with the App Store -- it rewards laziness (getting your apps through a single, easy-to-use channel) with security (all apps in that channel have been vetted and signed).
  
  --
  Don't thank God, thank a doctor!
19. Re:Software alone wont ever solve this problem. by Anonymous Coward · 2010-05-28 18:37 · Score: 0
  
  The increasing complexity of modern systems ensures that the security holes will only grow not diminish.
  Mmmm.... Well of course it will if OS's continue in the standard pattern, but if someone out there took a more revolutionary rethinking about how the OS and it programs ran then it wouldn't be so much of a problem.
  Many people and developers cannot wrap there head around an OS that does not let any user or programs ever modify the OS (ever) for any reason.
  Of course you still have the issue of the home directory wipe, but if the OS is clean then rebooting the system will be the easiest way to get rid of the malware.(I'm sure your grandma can do that now?)
  I suppose the closest device that does this is the iPhone OS which also has other security messures with the iTunes store restrictions but I don't think that is 100% needed.
  If you create an OS that cannot be modified by the user or programs that you run, then you get rid about 99% of the malware out there.
  (and no one writes malware these days for wiping home directories because there is no money in it)
20. Re:Software alone wont ever solve this problem. by Opportunist · 2010-05-28 18:37 · Score: 5, Insightful
  
  Partly right.
  What we're essentially trying to do with malware is not unlike what some countries try to do to keep illegal immigrants out. They try to shut down the border. And you know how well THAT worked, right? It's like smashing all the windows in your home and then trying to keep the flies out.
  A "total" solution does not exist, and probably never will. Whitelisting, while it would be initially quite secure, won't solve it either. Why, you ask? Because then the malware will be included in "harmless" looking programs. You will get a program that actually does what it should and contains a nifty little payload. Or, if everything fails, we'll get to see an exploit or security weakness in a programm sooner or later. What? Would be detected immediately? Oh yeah, right, and that's why no consoles have ever been hacked using save game exploits. And here even EVERYONE involved in the making of the hard- and the software had the interest to NOT allow something like that to happen.
  Back on topic. We're now at the point where the number of usable exploits is down to a handful, actually. There's a reason why malware creators are reaching for exploits in third party software already (btw, Adobe, get the f... off your rear and get your act together!), simply because the useable exploits in the system itself become too few and are fixed too quickly. Recently I've seen the first exploits for popular games. Script support and the general support of user created content really opens that Pandora's box. But they're still few and far between, almost all infections today happen with the consent and actual help of the user. It's social engineering, people! Not software engineering.
  The biggest security problem is not in the box on the floor. It's sitting right next to it.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
21. Re:Software alone wont ever solve this problem. by Opportunist · 2010-05-28 18:44 · Score: 4, Interesting
  
  Nope. Whitelisting would first of all require you to KNOW (not to assume, not to guesstimate, but to KNOW) that a given application is neither harmful (ok, that's doable to some degree, provided you invest the time, and hence money, into the whitelisting process) nor can be abused to be an infection vector. And the latter part is what makes the whole whitelisting pointless.
  Would you whitelist Flash? Would you whitelist Adobe Acrobat Reader? Would you whitelist your web browser? Or your media player, your MP3 player, your word processor, your instant messenger? Of course, you would pretty much have to or your user would go ballistic on you. Is it an attack vector? Oh, one of them currently certainly is!
  Whitelisting only solves the problem if you can ensure that the program you whitelist cannot be used as an attack vector. And you cannot do that unless you wrote the program yourself and thus know the way it handles user input. The moment a given program can open a file, a stream or a network connection, you open that program to user input. And that's the moment when security takes a cigarette break.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
22. Re:Software alone wont ever solve this problem. by Opportunist · 2010-05-28 18:46 · Score: 1
  
  This won't work. The biggest reason it won't is convenience. Say one credit card company requires such a device, and another promises that they'll be liable for any damages from fraud. Which would you go to? If they both make that promise, what does the consumer gain from the device?
  I'd go to the first. When a company promises it's liable for user stupidity, you pay for the stupidity of other users. Or where do you think the money to cover that liability comes from?
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
23. Re:Software alone wont ever solve this problem. by Anonymous Coward · 2010-05-28 22:21 · Score: 1, Interesting
  
  And how many non-techies do you think would do that? Most people don't need PPAs when they have 20k+ packages in the main repositories.
  Besides, I would hardly call it a virus if you're tricked into installing it. By that account, this mail would also be a virus for Mac and Linux/UNIX:
  Please save the following program to a file, run "chmod +x" on it and execute it.
  #!/bin/sh
  echo Please enter password
  su -c "rm -rf /*"
24. Re:Software alone wont ever solve this problem. by DarkOx · 2010-05-28 23:39 · Score: 2, Interesting
  
  Would you whitelist Flash? Would you whitelist Adobe Acrobat Reader? Would you whitelist your web browser? Or your media player, your MP3 player, your word processor, your instant messenger? Of course, you would pretty much have to or your user would go ballistic on you. Is it an attack vector? Oh, one of them currently certainly is!
  A more granular white list will will work. What you really need is a white list + ACE/ACL system. Symantec Endpoint Protection actually can do some of this stuff if your admin people invest enough time it writing rules. Yes you whitelist Acrobat Reader but you only allow it to open file streams to files ending in .pdf and only for read. Flash might have to play a little to get that to work, but it to could probably be sandboxed effectively. Your word processor again might need read access to files in many places but only needs to write *new* files in the documents directory and only needs to be allowed to write a couple hundred megs per instance so that it can't be used to DOS you.
  I could go on but you get the idea. You could build a system that is usable and at the same time hardened enough to remove most of the profit in attacking it. It would cost quite a bit and take a great deal of work to maintain. The industry has simply decided its better to tolerate a certain amount of crime and clean up afterwords.
  Its kinda like you house in that way. You accept there is a certain risk you will be broken into; and you just insure your stuff. Its a better alternative than the razor wire; surrounded steel walled bunker you'd otherwise have to have to keep people out.
  
  --
  Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
25. Re:Software alone wont ever solve this problem. by maxume · 2010-05-29 00:19 · Score: 1
  
  I'd rather have a secure computer and treat drm as a social problem.
  
  --
  Nerd rage is the funniest rage.
26. Re:Software alone wont ever solve this problem. by JoeMerchant · 2010-05-29 00:50 · Score: 1
  
  I'm not saying it's ideal, or even desirable, but what Sony is doing with the PS3 is approaching secure. Most software requires the latest updates in order to function, and the updates stay on top of known exploits. I think it's the suckiest user experience ever, constant waiting for their slow servers to push patches, and sometimes those patches break functionality that _I_ care about, but it does seem to have kept a cap on unauthorized use, at least if you care about using the secure software base.
27. Re:Software alone wont ever solve this problem. by JoeMerchant · 2010-05-29 00:52 · Score: 1
  
  In today's regulatory environment electricity would never be approved for use outside the execution chamber.
  
  Anything sufficiently powerful to be interesting and useful is also dangerous, it's almost an inherent property.
28. Re:Software alone wont ever solve this problem. by SanityInAnarchy · 2010-05-29 02:30 · Score: 1
  
  When a company promises it's liable for user stupidity, you pay for the stupidity of other users.
  So you wouldn't actually compare the rates and find out if it's actually true?
  
  --
  Don't thank God, thank a doctor!
29. Re:Software alone wont ever solve this problem. by Opportunist · 2010-05-29 04:43 · Score: 1
  
  No. Seriously. There is only four possible options what I could find out when comparing that "covering" company vs. the one that decides not to:
  First, they're more expensive to compensate.
  Second, they're not more expensive and go out of business because they get drowned in the loss.
  Third, they notice in time that they're too cheap to stay in business and jack up the fees to compensate.
  Fourth, they hope for a bailout.
  Neither of these options is looking good.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
30. Re:Software alone wont ever solve this problem. by kvezach · 2010-05-29 04:47 · Score: 1
  
  How about fine-grained security? There's no reason Flash should have access to files on your system, so make the OS support (and withhold) capabilities so Flash just plain can't read your files no matter how compromised it gets. Similarly, there's no reason the image rendering component of your web browser should be able to open a server on port 1337 - or any other port for that matter.
  
  It was done with users: an ordinary Unix user can't write to /usr/bin no matter how hard he tries (unless he escalates privileges). Why not do the same per process? It'll make coding more involved, passing security tokens back and forth, but it'll work.
31. Re:Software alone wont ever solve this problem. by sco08y · 2010-05-29 05:12 · Score: 1
  
  What we're essentially trying to do with malware is not unlike what some countries try to do to keep illegal immigrants out. They try to shut down the border. And you know how well THAT worked, right?
  Sure, Mexico has been quite brutal, but fairly effective, at preventing illegal immigrants from the Honduras and other Latin American countries. I guess it would make sense to make the US's immigration laws more like Mexico's, after all, it can't be inhumane to treat them the way they treat immigrants to their own country!
32. Re:Software alone wont ever solve this problem. by SanityInAnarchy · 2010-05-29 07:52 · Score: 1
  
  First, they're more expensive to compensate.
  Could be, but you don't know this yet.
  
  Second, they're not more expensive and go out of business because they get drowned in the loss.
  Also a possibility, so long as you understand that this is an entire option. "Not more expensive" does not automatically imply "drowned in the loss."
  There is a fifth possibility you missed: The "secure" version gouges their customers to compensate, and is required by law anyway to assume a fair amount of the risk. So you're paying more, getting marginally more security, at a lot less convenience. That's not a tradeoff most people find attractive.
  But what I find most disturbing about this is that you made a baseless assertion that they would be more expensive, and even hypothetically, you pre-emptively refuse to find out whether your assumption is true. This is the pattern of stupidity -- shouting what you think you know, and being unwilling to verify whether it's actually true.
  
  --
  Don't thank God, thank a doctor!
33. Re:Software alone wont ever solve this problem. by RulerOf · 2010-05-29 12:18 · Score: 1
  
  While I don't have anything to add, do you know of any writeups that detail hardened SEP configurations like the one you describe? I am quite intrigued.
  
  --
  Boot Windows, Linux, and ESX over the network for free.
34. Re:Software alone wont ever solve this problem. by oljanx · 2010-05-29 15:24 · Score: 1
  
  I call this job security. I expect it to last until someone manages to develop sentient heuristic AV software. Although, I'll wager that the black-hats will beat white-hats to the punch on this front and continue to out maneuver them. There's a sci-fi novel in there somewhere.
35. Re:Software alone wont ever solve this problem. by tlhIngan · 2010-05-31 02:55 · Score: 1
  
  And how many non-techies do you think would do that? Most people don't need PPAs when they have 20k+ packages in the main repositories.
  
  A lot.
  It's just like all those jailbroken iPhones, iPod Touches and now iPads who have OpenSSH with default passwords. (Hint: username is "root" or "mobile", password is "alpine"). Why do they have OpenSSH installed? Because they were blithely following some tutorial on getting something they wanted done. Be it modifying some files, installing various .debs and the like. Tutorial says "To do XXXX, go to Cydia, install OpenSSH. Using FileZilla, connect to your device root/alpine, upload the file. Then use Putty to log in (root/alpine), then "dpkg -i file.deb", then "killall springboard". Enjoy your new ability".
  Users using Ubuntu are the same as well - "I need to do XXX/try program YYY/I can't find YYY/install this PPA then install/thanks!"
  Ditto MacOS X and Windows. It's task-orientation. People need to do a task. They do the necessary prerequesites to do the task, not caring about what happens in-between, they want to get their task done. Just like how people see a car as mere transportation (task: get from A to B), while others see it as a wonderful result of engineering and a joy to tinker with. The groups overlap - someone who enjoys farting around with Linux may switch to "I need to do XXXX" mode in order to get something they need done - though hopefully they actually understand what they're doing.
Security? by tpstigers · 2010-05-28 15:22 · Score: 3, Insightful

I'm still confused about this whole concept of computer security. No other aspect of my life is particularly secure - why should I expect my computer to be secure? More to the point - why should I expect someone else to provide that security? In every other part of my life, my security is up to me to arrange and maintain. In my job, in my relationships, in my retirement, in my health - it's all up to me. Why do we think our computers will be different?
1. Re:Security? by hedwards · 2010-05-28 15:28 · Score: 1
  
  I don't know about you, but I expect the police to provide security, as well as the military and intelligence agencies. They don't provide complete security, but they do go quite a ways. Computer security is like that. On top of that comes personal and community responsibility.
2. Re:Security? by $RANDOMLUSER · 2010-05-28 16:39 · Score: 2, Interesting
  
  Too right. I've taken to asking people "You don't go to the bad part of town and have unprotected sex with junkies, why do you keep downloading this stuff?". Sadly, most people don't get the analogy.
  
  --
  No folly is more costly than the folly of intolerant idealism. - Winston Churchill
3. Re:Security? by AshtangiMan · 2010-05-28 17:59 · Score: 2, Informative
  
  Bad analogy. Police don't provide security, they maintain control. The military may provide security, but only for itself. As for intelligence agencies, they are largely a misnomer. So in the end all you have is yourself, and your community.
4. Re:Security? by Anonymous Coward · 2010-05-28 18:31 · Score: 0
  
  The padlock on a storage unit can only be attacked by someone physically there. Which means they leave a trace, be it camera videos, witnesses, GPS traces. They also need to drive to the location and have the right tools.
  A computer can be attacked from anywhere on the globe by people who might be living in a country where they face either zero consequences for breaking in, or perhaps even bounties for compromising systems.
  So, if one had to compare security, a computer has to have a lot more time put in to making sure it is locked down than a deadbolt on a door.
  This isn't as daunting as it sounds, but the problem is that good security practices are short circuited by the bottom line or convenience. I know most of us are guilty of this, because most people here running a Web browser on the same machine and user account used for other things like gaming or banking. What one should be doing is running the Web browser in a VM so an exploit only affects the VM and not the main machine.
  Businesses do this too. I have seen businesses use WPA with a preshared key (instead of using RADIUS), and then get compromised because one machine gets jacked, the key grabbed, then a blackhat be able to get their laptop on the network and go directly to the servers.
5. Re:Security? by Opportunist · 2010-05-28 18:49 · Score: 2, Interesting
  
  It's mostly psychological.
  A computer is something you use at home, at a place where you usually feel secure, safe and untouchable. Even at work you don't expect the door to be kicked open by someone grabbing your purse at gunpoint. Hence people feel safe when using their computer. And hence their guard is down.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
6. Re:Security? by Anonymous Coward · 2010-05-28 21:17 · Score: 0
  
  So is your house booby-trapped? Do you perform your own arrests and criminal investigations? If you buy a car and it has bugs that allow almost anyone to walk up and start it up without a key, you blame yourself for not thoroughly testing it? If you bought a lock and it turned out to be faulty, you blame yourself for not thoroughly testing it?
  Are you really not seeing what you're saying? How did you get +4 insightful?
7. Re:Security? by roman_mir · 2010-05-28 23:38 · Score: 1
  
  Police? They'll not provide you with any security at all. By the time the cops get involved there is already a body on the ground.
  Military providing security? Like how? After US military has invaded Iraq, hundreds of thousands, if not millions of civilians Iraqis were killed. Is THAT security?
  
  --
  You can't handle the truth.
8. Re:Security? by JoeMerchant · 2010-05-29 00:57 · Score: 1
  
  Your house isn't secure, but you do know when someone has broken in. The problem with computer security is the stealth with which the bad guys can operate, and therefore the scale they can operate on.
  
  My CC# isn't secure in the least, every time I use it for any purchase, I'm trusting some underpaid clerk or waiter to not steal it, but they (usually) have limited ability to profit from the theft because I would eventually notice the bogus charges (my wife checks the online statements almost nightly...)
  
  Bad guys stealing CC#s in computers can get millions of valid numbers and skim $20 off of each of them....
9. Re:Security? by Anonymous Coward · 2010-05-29 03:19 · Score: 0
  
  I'm still confused about this whole concept of computer security. No other aspect of my life is particularly secure - why should I expect my computer to be secure? More to the point - why should I expect someone else to provide that security? In every other part of my life, my security is up to me to arrange and maintain. In my job, in my relationships, in my retirement, in my health - it's all up to me. Why do we think our computers will be different?
  Because the rest of your life isn't measured in microseconds and you don't/can't have millions of thieves trying to pick the lock on your door every week. If a person could make meatspace-zombies and send them to make more zombies, you'd be heading for the nearest military base for security, I tell you what.
10. Re:Security? by Nolaan · 2010-05-29 05:55 · Score: 1
  
  Certainly because there's no theft on earth that could do 2 millions task once he broke into your house and leave without any trace! You are a grown man/woman so i guess that you have a relativly high control over your life, that is security, the other random deadly things that happen have little probability.
They have it half-right. by SanityInAnarchy · 2010-05-28 15:28 · Score: 2, Informative

Our immune system has an advantage over virii and bacteria due to our greater cell specialization and intelligent response.
First of all, you're only half-right here. Our bodies evolve diverse ecosystems of bacteria, actually varying quite a bit from person-to-person. The difference is that when we transmit bacteria from person-to-person, we might make each other sick, but that's unavoidable and actually healthy, to an extent -- it boosts our immune response. Computer systems don't get smarter when they get owned, and the risk seems much higher. (It won't kill you, but it could ruin your life, and it could ruin many lives very quickly, while in first world countries, deadly epidemics are far less common.)
Also, Apple's approval process doesn't have to restrict users from having the option to install third-party software. It just has to provide a good, safe marketplace so that users can choose to only install Apple-vetted software.

--
Don't thank God, thank a doctor!
Virus? Malware? by virtualonliner · 2010-05-28 15:29 · Score: 5, Interesting

I think we are at a point where we cannot really distinguish between virus or spyware or scareware or whatever. Virus have already started doing what spyware doing a couple years ago. I mean, it sounds just pointless that we distinguish them. Bad program is a bad program. It does not matter what we call it. Guys at StopBadware came up with a good term a few years ago. It's a badware. It does not matter to the end user what it does!
1. Re:Virus? Malware? by Opportunist · 2010-05-28 18:52 · Score: 1
  
  That line has been blurred years ago. Hence I simply refer to the whole bunch of crap soft that does some harm to you as malware. Why bother with the distinction? Is it a virus, a worm, a trojan or an infector?
  Does the user care?
  No, he doesn't! He only gets confused with the amount of terms used for what is essentially the same: Software that does harm to him. "Oh, it's just a worm, phew, glad it ain't a virus, eh?" No! No, dammit! Malware, badware, whatever we call it, but let's coin ONE term for the whole crap!
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
2. Re:Virus? Malware? by Kees+Van+Loo-Macklin · 2010-05-28 21:55 · Score: 1
  
  Actually I agree, but I prefer to call most of these things a virus.
  While I am aware that it is not always technically accurate, it has a greater emotional impact on non-technical people.
  The fact is, Joe average user is much more likely to take it serious when you say.. your computer has about 10 viruses on it.
  If you tell them your computer is infected with malware, they are likely to just say "What's that?".
  
  --
  It's not what you know. It's not who you know. It's what you know about who you know.
3. Re:Virus? Malware? by maxume · 2010-05-29 00:21 · Score: 1
  
  So why stay so tame?
  Well ma'am, the computer-raper that you downloaded is raping your documents and your photos, and it is about to rape your financial accounts.
  
  --
  Nerd rage is the funniest rage.
4. Re:Virus? Malware? by Zerth · 2010-05-29 01:33 · Score: 1
  
  It's kind of like that saying "Every program attempts to expand until it can read mail. Those programs which cannot so expand are replaced by ones which can."
  Similarly, malware will expand until it is an infectious, remotely controlled rootkit that bots MMORPGs using your credit card.
5. Re:Virus? Malware? by metalmonkey · 2010-05-29 21:01 · Score: 1
  
  How else can virus checker providers up-sell?
  You want x-ware protection too? add $x.
Macs by Mr+Pleco · 2010-05-28 15:35 · Score: 2, Funny

The only solution.
'Cause nothing runs on a mac.
*gigglesnort*
How is this evolution? by shikaisi · 2010-05-28 15:41 · Score: 5, Insightful

I know evolution is a much-abused word, but TFA itself states "some malicious codes are a problem difficult to tackle because of their inherent complexity and an intelligent design". Let's give the Intelligent Designer some credit, even when he's a malevolent one. This virus is not going to "evolve" into another form any time soon, it has simple been designed to make limited adaptations to local circumstances.

--
No left turn unstoned.
1. Re:How is this evolution? by c6gunner · 2010-05-28 17:05 · Score: 2, Interesting
  
  This virus is not going to "evolve" into another form any time soon, it has simple been designed to make limited adaptations to local circumstances
  That's primarily because nobody has bothered to make evolving viruses. Sure, we've made some that can change their code in order to try and avoid detection, but their "mutations" are intentionally limited because, in the end, the "intelligent designer" still wants them to continue functioning in a certain way.
  Now, if you didn't give a damn WHAT your virus did as long as it continued to replicate, there's no reason why you couldn't make one that does actually evolve. Now that you've brought it up, I'm almost tempted to try and make one :)
2. Re:How is this evolution? by zephvark · 2010-05-28 17:57 · Score: 1
  
  It's evolution in that it's become a very much more serious predator due to competitive pressure over time. That's how it goes. The only question I feel I need to ask about "Intelligent Design" is, if intelligence is something that needs to be designed, who created the designer?
3. Re:How is this evolution? by shikaisi · 2010-05-28 18:07 · Score: 1
  
  That would be a very interesting experiment. After all, the replication time-scale should allow evolution to happen extremely quickly compared to biological experiment. If we found that viruses could evolve into say, GPL software or iPhone apps in order to propagate themselves, I might almost be tempted to believe in evolution.
  
  --
  No left turn unstoned.
4. Re:How is this evolution? by Opportunist · 2010-05-28 18:54 · Score: 1
  
  I tried something like that a while ago. It's interesting, do it! Maybe yours can survive. Mine didn't. :)
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
5. Re:How is this evolution? by i+ate+my+neighbour · 2010-05-28 21:42 · Score: 1
  
  If we found that viruses could evolve into say, GPL software or iPhone apps in order to propagate themselves, I might almost be tempted to believe in creation.
  There, fixed for you
6. Re:How is this evolution? by Anonymous Coward · 2010-05-28 23:29 · Score: 0
  
  While I understand this is a joke, you're not doing it well. Computer viruses are evolving. Not because they are doing something themselves but because people are changing the design bit by bit, to be even more useful or harmful. Many things evolve despite the fact they're not alive, they're merely replicators, like real viruses or RNA strands. It's a process of mutation and selection, environmental pressure. One could even argue that e.g. we humans are but replicators. But don't worry, many people don't grok it.
7. Re:How is this evolution? by Anonymous Coward · 2010-05-28 23:38 · Score: 0
  
  Could this be what Erdös called "The supreme fascist"?
8. Re:How is this evolution? by sco08y · 2010-05-29 05:20 · Score: 1
  
  It's not so much the abuse of the word "evolution" but the tendency to completely ignore the whole process of human beings collaborating to write this code, and that's really where the story is! Having eliminated the human aspect (deanthropomorphized?) he thus imbues computer viruses with the abilities of living things, abilities that he probably doesn't really understand and I know that, as a typical reader, I have only a basic understanding of how viruses work.
  I know editors want to dumb this stuff down, but when your article starts to read like a Michael Bay screenplay, you might want to get a little more technical.
I guess anything can make the front page of /. by Anonymous Coward · 2010-05-28 15:54 · Score: 0

What a completely uninformative, poorly written, 'no shit sherlock' article!
Ya Ya Ya... by ebonum · 2010-05-28 16:24 · Score: 1

But is it GPL?
1. Re:Ya Ya Ya... by Anonymous Coward · 2010-05-28 16:52 · Score: 0
  
  No, but it runs Linux.
Macro 101 by dinog · 2010-05-28 16:30 · Score: 1

Because when you get to the "then can execute arbitrary code" part, it becomes a fairly general purpose thing. Why not maximize potential profitability ?
Dino
The code looks more like someone was juggling Swiss Army Chainsaws.
1. Re:Macro 101 by Anonymous Coward · 2010-05-28 16:49 · Score: 0
  
  The post right above you says: "But is it GPL?" Funny and true. I predict that they will very soon have an alternative to our free software commons, which will include a complete toolkit that kicks in once a host is infected and anti-virus is neutralized. They will save a lot of energy by concentrating on a very narrow and specialized topic of propagation. Just like with the biological life, it the propagation mechanism will overshadow everything else by its complexity and, well, beauty.
Re:tl;dr by Anonymous Coward · 2010-05-28 17:00 · Score: 0

I see my comment on the terrible writing style of TFA was well understood.
Making stupid boxes... by blahplusplus · 2010-05-28 17:49 · Score: 5, Interesting

... It might be time for the OS to compartmentalize the browser to have the net enclosed from the main system within a virtual machine. This way even if the "computer" were infected by malware it would disappear whne the VM was closed down, also a whitelist of Executables on the host machine would go a long way to stopping malware and the permanent logging/monitoring of executables or dlls being loaded that are unrecognized so they can be analyzed.
1. Re:Making stupid boxes... by jimicus · 2010-05-28 19:43 · Score: 1
  
  Which is fine and dandy except....
  .... the closest thing we have to a whitelist (UAC in Windows) is effectively useless because the default response of the end user is almost always going to be to click "Allow".
  .... sticking every application in a VM fails horribly as soon as you want an application to do something that may involve interaction (either with the underlying OS or another application). Example: How are you going to download ${RANDOM_APP} if your web browser can only save files within a VM that gets automatically erased when you shut it down? You can't allow exceptions so the web browser can under some circumstances save files on the underlying host because as soon as you do that you eliminate most, if not all of the security that running in a virtualised environment offers.
  ... malware frequently doesn't need to exploit the end user, it exploits bugs in applications or the underlying OS. In which case, talk of whitelists and sandboxing simply adds another layer of complication where more bugs may be appear, while giving little additional security.
2. Re:Making stupid boxes... by Anonymous Coward · 2010-05-28 21:25 · Score: 0
  
  I read about a security add on to systems, think HP made it, where unless an app was handed a directory for data, or it opened/saved a file via a standard dialog, it would have no access to said files. This way, a program that runs in a user context won't be able to access the Registry or start up info. It won't be able to read anything unless the user manually starts an open dialog.
  That is an interesting answer, but more like a patch. Ideally, a security system would be similar to Android where each app has its own UID, only can access info it makes unless it asks for the permissions on install.
3. Re:Making stupid boxes... by JoeMerchant · 2010-05-29 01:07 · Score: 1
  
  Problem is if the VM gets sufficiently complex, it's still a significant loss when it gets corrupted. It's all well and good to say that you just want a browser in the VM, but that browser wants all of its plug-ins, and your bookmarks, oh and your saved passwords too... eventually the VM becomes indistinguishable from the whole machine.
  
  If you want to "protect yourself" when doing something unusual and risky, then a VM can be like using a condom... it diminishes the spontaneity of the act, and provides a measure of protection, but ultimately you're not interacting with the other side in a natural and open manner, and many people just don't want to live that way.
Re:Sometimes I think apple has it right vetting s/ by znerk · 2010-05-28 19:53 · Score: 1

The problem with modern botnet malware is that the infecting agent can actually be more intelligent and reactive than the host it's infecting.
This is the absolute best place to start when fighting malware. Educate the user, even if it's just "stop letting your kids use LimeWire to download music/movies/apps/trojans/viruses".
Most of the issues that Joe User experiences are completely explainable as PEBKAC.
--
Problem Exists Between Keyboard And Chair. Abort, Retry, Explode?

--
This work is licensed under a Creative Commons Attribution 3.0 Unported License.
It kinda depends by warrax_666 · 2010-05-28 20:17 · Score: 2, Insightful

You're certainly right that a sufficiently motivated idiot can compromise any system, but the system designer could probably mitigate the problem of idiot users (dancing bunnies, etc. in their inbox) into irrelevance.
It's just shoddy design that .doc files with macros can be opened directly in MS Word without any kind of sandboxing of the file system to prevent macros from rooting around the file system for other documents to infect. The way I see it, you could have a more fine-grained privilege system where it isn't all-or-nothing, but where some documents (files) get more privilege to "do things" based on where they're from (inbox, local file system, remote file system, etc.). Of course you'd need some way to elevate/demote the amount of trust you (as a user) have in a document. This could perhaps be exploited by spammers/scammers, but but if most of the documents your average user receives in their email runs fine with the lowest possible privileges, then they'd at least be more likely to actually notice when a document in your inbox needed elevated privileges to function. (As opposed to now, where you'd get the exact same warning for every single document in your inbox regardless of the documents. So your average user just learns to click "Yes, I know what I'm doing" without even reading the dialog box.)
(I'm not saying things are much better in Linux land, it's just easier to make the point using MS Word .doc's as an example since Linux email clients don't tend to be quite as fast & loose with loading documents/attachments.)

--
HAND.
1. Re:It kinda depends by Opportunist · 2010-05-29 01:20 · Score: 1
  
  Doesn't change jack. The social engineering just gets more sophisticated. Like a mail from your bank that actually informs you that the attachment will ask for elevated privileges. Think anyone will refuse? It's bank stuff, ya know, that's sophistimacated and secure and stuff, of COURSE it needs my root password to work right! Or that superspecial download manager you need to download all that free porn? It needs those privs because, you know, it hacks into the sites that actually serve all the porn and to do that it needs to do really low level system kernel TCP and possibly even IP stuff.
  So do you think the user will click ok, yes and amen to all that? After all, he got explained why all those elevated privileges are really, really necessary. And we're not stealing stuff from him. Honest. We're certified! Look at our "no spyware site" logo at the top left corner!
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
new generation' file viruses by Anonymous Coward · 2010-05-28 21:59 · Score: 0

What Opeating Systems and platform is required for this all-purpose malware to function. What actions are required by the end users in order to activate it?
Software PLUS USER EDUCATION can solve it by Anonymous Coward · 2010-05-28 23:23 · Score: 0

"Call me defeatist but I believe there is no way the whitehats can out software manoeuvre the blackhats with software only solutions." - by Mattpw (1777544) on Friday May 28, @11:16PM (#32385992)
The best solution I have come up with is to use what's in this guide (it uses the concept of "layered security"), and results users have seen are as follows:
----
HOW TO SECURE Windows 2000/XP/Server 2003, & even VISTA/Windows 7 (+ make it "fun-to-do" via CIS Tool Guidance & beyond):
http://forums.theplanet.com/index.php?s=a3272f47031ff9e8939bf662e3a7b7fe&showtopic=89123
----
It works, & is based on the concept of what many computer security folks the past few years have been calling "LAYERED SECURITY"...
PROOFS/EXAMPLES OF ITS EFFICACY? Ok, below:
----
http://forums.theplanet.com/index.php?s=80bbbffc22d358de6b01b8450d596746&showtopic=89123&st=60&start=60
"the use of the hosts file has worked for me in many ways. for one it stops ad banners, it helps speed up your computer as well. if you need more proof i am writing to you on a 400 hertz computer and i run with ease. i do not get 200++ viruses and spy ware a month as i use to. now i am lucky if i get 1 or 2 viruses a month. if you want my opinion if you stick to what APK says in his article about securing your computer then you will be safe and should not get any viruses or spy ware, but if you do get hit with viruses and spy ware then it will your own fault. keep up the good fight APK." - Kings Joker, user of my guide @ THE PLANET
AND
http://www.xtremepccentral.com/forums/showthread.php?s=672ebdf47af75a0c5b0d9e7278be305f&t=28430&page=2
"I recently, months ago when you finally got this guide done, had authorization to try this on simple work station for kids. My client, who paid me an ungodly amount of money to do this, has been PROBLEM FREE FOR MONTHS! I haven't even had a follow up call which is unusual." - THRONKA, user of my guide @ XTremePcCentral
AND
"APK, thanks for such a great guide. This would, and should, be an inspiration to such security measures. Also, the pc that has "tweaks": IS STILL GOING! NO PROBLEMS!" - THRONKA, user of my guide @ XTremePcCentral
AND
http://www.xtremepccentral.com/forums/showthread.php?s=672ebdf47af75a0c5b0d9e7278be305f&t=28430&page=3
"Its 2009 - still trouble free! I was told last week by a co worker who does active directory administration, and he said I was doing overkill. I told him yes, but I just eliminated the half life in windows that you usually get. He said good point. So from 2008 till 2009. No speed decreases, its been to a lan party, moved around in a move, and it still NEVER has had the OS reinstalled besides the fact I imaged the drive over in 2008. Great stuff! My client STILL Hasn't called me back in regards to that one machine to get it locked down for the kid. I am glad it worked and I am sure her wallet is appreciated too now that it works. Speaking of which, I need to call her to see if I can get some leads. APK - I will say it again, the guide is FANTASTIC! Its made my PC experience much easier. Sandboxing was great. Getting my host file updated, setting services to system service, rather than system local. (except AVG updater, needed system local)" - THRONKA, user of my guide @ XTremePcCentral
----
(Those results are only a SMALL SAMPLING TOO, mind you - I can produce more such results, upon request, from
Re:Sometimes I think apple has it right vetting s/ by selven · 2010-05-28 23:49 · Score: 1

Our main advantage is that we're all slightly different from each other, so diseases can't usually spread to everyone. The computing world, with its 94% Windows market share, lacks this feature and is thus suffering a permanent Irish potato famine.
Re:Sometimes I think apple has it right vetting s/ by Anonymous Coward · 2010-05-29 02:36 · Score: 0

virii

That is not a word.
Impressive summary by BeerCat · 2010-05-29 03:44 · Score: 2

A summary that mentions "evolving" and "intelligent design" in the same sentence?
Now that really is impressive (and guaranteed to upset both Darwinists and Creationists at the same time )
Boffo! A good one!

--
"She's furniture with a pulse"