Slashdot Mirror
Malware Is a Disease; Let's Treat It Like One
jfruhlinger writes "The most common metaphor we have for computer malware — 'virus' — emphasizes that in many ways malicious computer code mimics biological pathogens. And yet, while the U.S. government has rapid response plans in place for an outbreak of a new disease, we're content to let the private sector react to hugely damaging computer infections. Tom Henderson thinks we need the cybersecurity equivalent of the CDC."
I am always suspicious when government is the solution. I prefer to keep it in the hands of private companies.
If you get good people staffing it, not a bad idea. It could focus on a lot of the massive but individually low-level threats, rather than some of the high-level stuff that the FBI does.
-- IANAL, this isn't legal advice, and definitely isn't legal advice for you. Also, Squee!
So why don't we just arrest and throw everyone in jail that catches a computer virus!
Sometimes the light at the end of the tunnel is the headlight of an oncoming train.
A lot of the rapid response plans the CDC has on the books call for things like quarantine and mass vaccinations.
The odds that grandma and grandpa have had their yearly flu shot are much higher than the odds that they're running a patched version of Windows.
And despite numerous proposals to cut off infected machines (aka quarantine) I've yet to see the idea implemented on a large scale anywhere other than college/university campuses.
[Fuck Beta]
o0t!
I'm guessing Tom doesn't mean Cult of the Dead Cow.
If I have been able to see further than others, it is because I bought a pair of binoculars.
If the malware purveyors have broken the law, let the government prosecute them as needed.
Otherwise a plan like this involves more bureaucracy, money, privacy invasions, red tape, and inefficiencies. Worse, you're proposing an agency whose work will necessarily cross borders adding to the complexity. Make it more lucrative for private industries to report infections to law enforcement, remove the stigma of having been "infected", and easier to prosecute or recover damages.
This is just what our broke-ass, can't-find-it's-dick-with-it's-own-hands, defective government needs, another resource drain and another nanny role in which they clearly have no business.
-- You are in a maze of little, twisty passages, all different... --
no, there's plenty of government money dumped to it in almost every country. is it doing any good? not much, the main thing what it becomes is that some guys who get dumped lots of money just go around making the same lectures every now and then, with powerpoint slides saying "unix is a security protocol" and shit like that. and the damages can't be measured as it's just human placed value on it, making the data losses and breaches in actual money(or hardware) hard to measure.
"Yes, there’ll be some that won’t be vaccinated for religious reasons. Their systems need to be partitioned from infecting others. I don’t know the mechanism to do this, but Network Admittance Control is a thought.". his solution would actually be that every machine is vulnerable to government infection, actually being a botnet to begin with. so, fuck his solution, fuck him.
world was created 5 seconds before this post as it is.
Please update to the latest version of Microsoft (tm) Windows (tm) 7 (R) Professional (tm) or Microsoft (tm) Windows (tm) 7 (R) Home to reconnect to the internet.
93rd rule of Slashdot: No matter how obvious my sarcasm is, my comment will be taken seriously by someone.
If a disease outbreak ravages the country and kills the young, the old, the weak, that would be a huge tragedy.
If a virus ravages the country and kills off Windows XP, Adobe Flash, and IIS, then the strong will have survived and the software world will be a better place.
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
This agency would have to have international power and able to act swiftly. It would be nice to see some high profile punishment for hackers on the payroll of organized crime in countries that are weak on enforcement. Maybe we should take a Vegas casino stance on these guys like they do with their cheaters. Have fun with your "1337" hacking skills after someone breaks all your fingers with a hammer.
I Cater to the Needs of Stupid People. - from a coffee mug Christmas gift
Look at how well they handle airport security, natural disasters, delivering packages, stopping drug smugglers, determining if Iraq has nuclear research, planning a budget, improving the economy, and virtually every other task they've ever attempted.
The only thing government does well is apply force, because that's all government is.
I'd much rather have a company, whose profits are on the line (assuming the feds don't decide to bail them out), staffed by people, whose salaries are on the line, dealing with an issue than a bureaucrat who will use failure as an excuse to ask for a bigger budget. In private industry, failure is punished. In government, it's rewarded.
...ban Microsoft products.
Just because viruses on computers and viruses in people have the same name and share some -very- vague similarities (i.e. they _can_ spread on their own) doesn't mean that every concept related to a computer can be translated into a biological one. Better security practices are needed, not another faceless organization to tell us about it. The CDC serves an important role because it tries to solve a problem completely unrelated problem to electronics, trying to shoehorn the same sort of organization into an IT role doesn't make any sense. Reeks of some governor's project that stands to make him a bit of pocket money, much like the TSA's "glow in the dark" scanners.
Sure, right now, malware is used to spew spam, steal credit card data etc... but one has to recognize that it is very resilient against all efforts to eradicate it. Fast forward a few years or in other regions, where Government wants to assume total control of the 'Net. Wouldn't malware be the only piece of distributed p2p software being able to resist total censorship? Let's not dismiss malware just because it is being used for nefarious purposes now: it could come very handy in the not too soon dystopian future.
cpghost at Cordula's Web.
Cyber Defence Council!
how is babby formed?
The thing about the CDC is that it is possible to immunize and/or treat basically anyone. Financial and logistical concerns may make doing so impractical, but where treatments exist, they tend to work to varying degrees in just about anybody.
Malware isn't like this. Older software tends to lapse out of support. That's not an insurmountable problem in the OSS community, where the source code to the OS is available so that someone other than the maintainer could write a patch. But with closed and obsolete operating systems -Win95, for example, or Mac OS 9- who's going to write the patches?
When you're too stupid to properly name the problem you're trying to address then just BOAKYAG. I doubt there has been any threat from a virus in a decade; today's threats are trojans and worms.
But not in providing the "solution".
Rather, the government should update their requirements for "anti-virus" software to include:
1. A bootable CD/DVD that runs the anti-virus app in order to bypass the problems of the "virus" interfering with the clean-up.
2. Hashes (multiple hashes) of the KNOWN system files and their default locations and sizes.
3. As with 2 above, but also including as many applications as possible.
4. Of course the hashes would have to be easily updated after booting the CD/DVD. From a website and/or a local server (controlled by your IT department).
5. Related to 4 above, include the ability for the local IT department to add their own hashes and locations of the apps they've developed "in house".
At least this way the IT department SHOULD be able to tell what is NOT infected.
I know, you might be able to get a collision on a specific file with a specific hash. But it is extremely unlikely that you can get multiple collisions for different hashes on that file and still keep it to that same size AND have it do anything "dangerous".
Government specs it ... the market provides it.
And the regular users benefit from it.
Take your example of the solicitor general. They are supposed to argue the position of the United States Government in the Supreme Court.
The official position of the United States Government, by the passing by the House and Senate and signing by the President, is the Defense of Marriage Act. It is the law of the land regardless of its (IMHO) stupidity.
However, due to political considerations, the "institutional competence" of the United States Solicitor General will not be used to defend the position of the United States Government as it its mandate.
Likewise, for political reasons the Department of Justice refuses to use its professional competence to prosecute egregious examples of race-based voter intimidation.
However, this issue of malware is not likely to be political, so the government might actually do a pretty good job in this role. It is interstate in nature, and it is a role, like fire departments, that is not efficiently served by free market solutions.
In order to server you better the Government Department of Internet Security has installed Friendly Protector 1.0
Friendly Protector has determined you have 182 instances of unlicensed MP3's and movies please report to the nearest courthouse to pay your fine
Fine is 458,000 made payable to the MPAA/RIAA and current politicians election campaign
Friendly Protector has determined that you have 3 instance of adware, 1 instance has been approved and is now protected from removal on your system
Please download AV protection to remove the other 2 instances of adware
You have 1 instance of malware however we are unable to pursue this as our law enforcement branch is currently dispatching helicopters to your location to deal with the unlicensed copy of Ishtar found on your PC
Thank you for using Friendly Protector 1.0 and look forward to 1.1 and phone GPS tracking software to further protect your security.
I actually think that there's something going here. Pretty much all of us here, personally, would not benefit from government intervention - this is true. If you're here on /. reading the comments, I'll bet damn near all of us who have GOTTEN a virus, either did it on purpose or took a calculated risk expecting one. Most people who pick up malware are, to put it bluntly, idiots when it comes to computers.
And the bad part IMO comes from when they get themselves turned into zombies - I wouldn't mind seeing the government trying their hand at applying their force and legal requirements to this end. Because most people don't have a financial incentive to try to remove themselves from a botnet if they're part of one, they won't go through the effort - or spend the money - for a private solution. To them, it's just a hassle, and one they've got no reason to go through with. The only way to persuade them to deal with that, at least, is a bigger hassle - the government being a pain in the neck.
Now, for other malware, for phishers and scammers, hostile viruses and worms that attack you directly, I don't think the government can do much that the private industry isn't already doing - or the free software available is. When a problem comes up, they respond quickly, and I don't see how the government could aid aside from mandating some AV software of some kind - but that will already get rammed down your throat by whoever you call for tech support when your system goes belly-up, rendering it IMO not much improvement at all.
So, for diseases, we focus on prevention.
Oh, right, we'd rather take a magic pill (antivirus software) than do the right things to keep it from happening in the first place. Exercise and proper diet? No way! It's not my fault I'm fat!
http://www.us-cert.gov/
From the US-CERT "About Us" page:
US-CERT's mission is to improve the nation's cybersecurity posture, coordinate cyber information sharing and proactively manage cyber risks to the nation while protecting the constitutional rights of Americans. US-CERT vision is to be a trusted global leader in cybersecurity - collaborative, agile, and responsive in a complex environment.
Information is available from the US-CERT web site, mailing lists, and RSS channels.
US-CERT also provides a way for citizens, businesses, and other institutions to communicate and coordinate directly with the United States government about cyber security.
Who runs US-CERT?
US-CERT is the operational arm of the National Cyber Security Division (NCSD) at the Department of Homeland Security (DHS).
Where is US-CERT located?
US-CERT is located in the Washington DC Metropolitan area.
What is US-CERT's relationship to NCSD and DHS?
US-CERT is the operational arm of the National Cyber Security Division (NCSD) at the Department of Homeland Security (DHS). The NCSD was established by DHS to serve as the federal government's cornerstone for cyber security coordination and preparedness, including implementation of the National Strategy to Secure Cyberspace .
Singlehandedly, I'm most of the way there. I'm not saying it to toot my own horn, but as a statement of fact. I've already got 7 (technically 8) databases implemented and currently in the process of creating three more. I don't really consider offensive.dat in the database list because it's designed for parental control scanning. http://www.tot-ltd.org/installation.db http://www.tot-ltd.org/blacklist/0-F http://www.tot-ltd.org/whitelist/0-F http://www.tot-ltd.org/API/ http://www.tot-ltd.org/ports/ http://www.tot-ltd.org/heuristics.dat http://www.tot-ltd.org/packer.db
What Microsoft, Adobe, and Apple need are better QA and auditing. Either that or their software should be taxed in order to fund this initiative.
If your computer or your network is doing harm or attempt to harm a 3rd party it's just as though you punched them in the face.
I would be all for it if we could have these drones identified and kicked off the internet until they are proven decontaminated. This could be all handled at the ISP level. Maybe even just an "outbound filter" being put on these connections restricting their access down to HTTP port 80 and 443 traffic. With online web account the typical person uses gmail, yahoo mail, hotmail, facebook or some other form of email that doesn't require an email client configured. And if their email client doesn't work... who cares. They should be shut off the internet until they get their machine fixed.
Being on the internet isn't a right, it's a privilege being governed by the free market and 3rd party private companies.
A typical ISP reserves the right to drop you from service for any reason. They aren't required to keep you as a customer. I believe that greed within these entities keep this from happening. They don't want to risk reducing their customer base even 1%.
So getting back to the typic of this post, if a prescience could be set of what is considered intrusive from one machine to the next, the government could mandate ISPs to shut down these systems at the request of a 3rd party which could provide evidence that this machine is attempting to do something malicious.
If this happens then basically any machine trying to hit ports 139 or spraying ssh connections all over the internet, or smtp email all over the place, all these things could be shown as intent to harm a 3rd party and be shut down... And once it's down, they can resolve the issue and bring it back online.
Ronald Reagan (peace be upon him) said: "Big Government IS the problem." And you bought it. And you've been buying it ever since.
I'm not buying it. I didn't buy a lot of shit Reagan sold: Borax, Chesterfield cigarettes, supply-side economics. But Reagan sure knew how to shine those turds.
Much can be done to solve this particular problem in the private sector, to be sure, and I don't necessarily disagree that legislation may be unnecessary. But I marvel at how quick the anti-government knee-jerk reflex kicks in. It's a testament to the successful propaganda campaign of corporate owned media and right wing think tanks.
of Outbreak http://www.imdb.com/title/tt0114069/.
If we treat it like a disease, then we should just "manage" the symptoms with overpriced "treatments," instead of actually fixing the problem.
giggity
So we should dump funding into malware research and make it such a big business for the "good guys" that we never cure the disease because they good guys are now making too much money off it?
... biological warfare. Malware didn't evolve naturally, it was engineered.
The default stance of any sane, clear-thinking individual who values their own individual freedom should be the anti-government stance. The answer to every problem is not: "there should be a law to prevent from happening / force to happen" and not every aspect of life needs a government bureaucracy to oversee and regulate it. That you don't agree with Reagan's comment doesn't make it any less true or valid. It's still the problem and will continue to be the problem for all eternity. I never understood why people place so much trust and faith in government when it continues to show time and time again it is not worthy or deserving of it.
Become truly awful due to some element of human stupidity or laziness. People dump their poo on the sidewalks, businesses continuing to use IE6 instead of porting apps to standards,etc
Well in that case, this magical government entity that was designed to protect us from all malicious infections would get in bed with the security companies. Because who else is going to fund this big grand organization? Our tax dollars?? HA! So after Symantec and McAfee get in bed with this Cyber CDC or CCDC, they will tell the CCDC what is profitable to them for the CCDC to label a virus. And so it goes that certain malware will not be profitable to treat and will thus be considered a bogus threat. Or you can look at the real world example with the CDC and Lyme disease.
The problem is that the creation of such a thing would likely be just a giant 4th amendment violation most likely. Furthermore what does this group do exactly? Do they just cut you off the internet? Do they go on site and attempt to 'cure' the infection giving the businesses even less reason to keep themselves clean? Do they go on site and just take all infected computers never to be returned?
Pretty sure regardless of the action done it's going to be a disaster waiting to happen.
But the DOMA decision was highly controversial, even within the office, and is by far an outlier. For the most part, when new administrations come in they are gung-ho to use the SG's office to get all of their preferred cases to SCOTUS (i.e. the ones they'll win on), but the SG's office never winds up trying to do that because the long term institutional role of the office would be greatly undermined if they did.
In addition, its mandate is *not* to defend DOMA--its mandate is to represent the United States Government, which does not mean fighting every case where they have an unsanctionable argument. In addition, where the issue comes before the Supereme Court, there is *zero* chance that there will not be competent representation if they drop out--it would be more worrying at the circuit level.
-- IANAL, this isn't legal advice, and definitely isn't legal advice for you. Also, Squee!
THE CDC exists because the consequence of not stopping an outbreak is a massive decline in the human population, such as during the plague in Europe. Malware infects computers because most IT departments are under staffed with no security budget, or sufficient knowledge.
Also, lets define what a break in is, a DDOS attack launched by anonymous IS NOT a break in, it's just merely exactly what it states and thats no service. So DDOSing a place like lockheed doesn't get you anything besides an arrest warrant. But Lock Heed is filthy rich, we can't all be that way, so maybe we need something else...
How about security certs? BBB ensures quality service from their businesses through membership. Why not have a ranking system for how strong your security system is. Say I don't want to give me SSN to a C ranked company over the web, but I have no problem with A.
The point being we can handle this w/o the government and be all the better for it.
Ronald Regan (May the demons of the 9'th pit tighten his thumb screws a bit harder on this day)
Fixed that for ya.
Anti-virus companies have a very strong built-in incentive to never actually put an end to malware, because that would put them out of business.
Politicians have a built-in incentive to permanently eradicate malware, because the politician who did that would then certainly be either appointed or elected to a more powerful, more profitable post.
This is the stupidest thing I have ever seen posted to Slashdot.
"Ayn Rand is a bloody socialist compared to me." - Robert A. Heinlein
Give me a break. A cybersecurity version of CDC? Beyond the billions of taxpayer waste funding that abomination, care to explain how in the hell even the most ignorant dumb-ass moron user can't understand the simple instruction of "turn it off"?
Malware is localized and contained within a hard drive, and instructions are just that simple to contain it. Turn the damn thing off, or disable all network interfaces. I don't need a multi-billion dollar agency telling me something the evening news could do just as easily. You're preventing Malware from spreading, not trying to control Ebola from killing your kids. And no, I don't give a shit how bad teenagers cry, it is possible for the human body to continue to function without the Internet or a cell phone if absolutely necessary.
AC, Please look up "straw man fallacy".
Do you really think it's the government that's the only threat to your liberty. Do you suppose that corporations are interested in preserving your freedoms? If we can't check corporate power through government, how shall we do so?
A politician can render a competent worker incompetent by telling him not to apply that competency.
No matter how capable you are, you can't do your job if you're told not to.
Security DESPERATELY needs meaningful metrics. Infection rates would be a good start.
I did some thinking on this a year ago: https://it.wiki.usu.edu/SecurityPerformanceMetric
Comprehensive IT Epidemiology could provide us with meaningful ways to compare various approaches to security.
The problem is, nobody wants to share. It's too embarrassing.
Maybe if I start?
I do IT security for USU. From March 2009 to March 2010 some of our Infection rates were:
* Conficker: 15/12677 = .00118 or about 12/10K per year. 1/10K per month. .00158 or about 16/10K per year. 1.3/10K per month. .00039 or about 4/10K per year. .33/10K per month.
* Torpig: 20/12677 =
* Mebroot: 5/12677 =
Now, if only I could get stats from other institutions, and compare their security measures.
It would be heavenly to be able to perform meaningful evaluations on the effectiveness of our various security measures.
Miles
Step 1: Draft a law that says anyone writing a computer virus or malware that causes significant damage to users computers to be liable for all the damage and spend up to life in prison for their efforts. This crap is no different than walking into 100,000 - 100,000,000 homes and either smashing their computer or taking a couple of hundred bucks out of their wallet.
Step 2: Get all of the worlds nations to agree with the law and enforce it within their borders. Anyone who doesnt feel like it gets no aid from anyone else ever again.
Step 3: Watch most of these morons find something else to do with their spare time.
Step 4: Watch the ones that arent smart enough to do something else spend 45 years making license plates and sending their earnings to the computer users who had to buy a new computer or pay someone to fix theirs.
Despite loading antivirus and antimalware software on every computer in my extended family, about 75% of them annually get malware that cripples and eventually renders the machine useless. It usually takes me 3-5 hours to run scans, remove the malware, and recover their data. At this point I have a backup of everybody's machine so I can just restore them in 15 minutes to a previous working state. What a huge waste of my time and resources.
While they are ordered NOT to do their duty and defend the position of the United States Government.
In general though, I would hope they are among the least competent people in government. These are the people who defend laws that are very often unconstitutional. They were the ones defending the the various civil rights abuses caused by the war on drugs.
The way we treat disease is by ignoring cures, developing expensive treatments, and enslaving the patients to life-long pill taking to keep the disease in check while they are milked of their hard earned money.... Even anti-virus software makers are that evil...
Isn't that what Bleepingcomputer.com is...?
the help Winders people get ridda bugs n shit.
Whoa! Here's a concept; how about we treat crappy OSes like a disease?
Cells get infected when rogue genetic material gets past their defenses. A single infected cell can eventually lead to massive side effects.
The same thing is true when rogue programs get past firewalls, antivirus, etc.. A single computer can result in network wide side effects. Thus far the analogy holds, and is a helpful tool.
Unlike the situation with our cells, we can redesign the way our operating systems work, so that they don't trust programs. This shift would then allow the user (or administrator) to decide what resources would be made available to any given instance of a program. This makes it practical to limit the side effects of a rogue program, or even one which just has a bug.
Computer security can be FIXED, and we should start working on it now, so that the lack of a solution isn't used as an excuse for more intrusion, and destruction of liberty.
This guy must be an idiot. If you wanted to spend 100 million dollars for what a single, crappy security researcher could do, I guess it is a way to burn through tons of money.
... I'm the cure. This is where the law stops and I start, sucker.
(Cue automatic weapons fire and explosions).
To "immunize" a Windows system, I effectively use the principles in "layered security" possibles!
I.E./E.G.-> I have done so since 1997-1998 with the most viewed, highly rated guide online for Windows security there really is which came from the fact I also created the 1st guide for securing Windows, highly rated @ NEOWIN (as far back as 1998-2001) here:
http://www.neowin.net/news/apk-a-to-z-internet-speedup--security-text
& from as far back as 1997 -> http://web.archive.org/web/20020205091023/www.ntcompatible.com/article1.shtml which Neowin above picked up on & rated very highly.
That has evolved more currently, into the MOST viewed & highly rated one there is for years now since 2008 online:
http://www.bing.com/search?q=%22HOW+TO+SECURE+Windows+2000%2FXP%22&go=&form=QBRE
Which has well over 500,000++ views online (actually MORE, but 1 site with 75,000 views of it went offline/out-of-business) & it's been made either:
---
1.) An Essential Guide
2.) 5-5 star rated
3.) A "sticky-pinned" thread
4.) Most viewed in the category it's in (usually security)
5.) Got me PAID by winning a contest @ PCPitStop (quite unexpectedly - I was only posting it for the good of all, & yes, "the Lord works in mysterious ways", it even got me PAID -> http://techtalk.pcpitstop.com/2007/09/04/pc-pitstop-winners/ (see January 2008))
---
Across 15-20 or so sites I posted it on back in 2008... & here is the IMPORTANT part, in some sample testimonials to the "layered security" methodology efficacy:
---
SOME QUOTED TESTIMONIALS TO THE EFFECTIVENESS OF SAID LAYERED SECURITY GUIDE I AUTHORED:
http://www.xtremepccentral.com/forums/showthread.php?s=672ebdf47af75a0c5b0d9e7278be305f&t=28430&page=2
"I recently, months ago when you finally got this guide done, had authorization to try this on simple work station for kids. My client, who paid me an ungodly amount of money to do this, has been PROBLEM FREE FOR MONTHS! I haven't even had a follow up call which is unusual." - THRONKA, user of my guide @ XTremePcCentral
AND
"APK, thanks for such a great guide. This would, and should, be an inspiration to such security measures. Also, the pc that has "tweaks": IS STILL GOING! NO PROBLEMS!" - THRONKA, user of my guide @ XTremePcCentral
AND
http://www.xtremepccentral.com/forums/showthread.php?s=672ebdf47af75a0c5b0d9e7278be305f&t=28430&page=3
"Its 2009 - still trouble free! I was told last week by a co worker who does active directory administration, and he said I was doing overkill. I told him yes, but I just eliminated the half life in windows that you usually get. He said good point. So from 2008 till 2009. No speed decreases, its been to a lan party, moved around in a move, and it still NEVER has had the OS reinstalled besides the fact I imaged the drive over in 2008. Great stuff! My client STILL Hasn't called me back in regards to that one machine to get it locked down for the kid. I am glad it worked and I am sure her wallet is appreciated too now that it works. Speaking of which, I need to call her to see if I can get some leads. APK - I will say it again, the guide is FANTASTIC! Its made my PC experience much easier. Sandboxing was great. Getting my host file updated, set
A disease? Well let's those virus's to AA (those Anonymous assholes).
Other Operating Systems have, in principle, the same general features & guides for them also that implement "layered security" methods as well, as seen here:
---
Apple's MacOS X Security Guide:
http://www.apple.com/support/security/guides/
---
&
---
Securing Linux:
http://www.puschitz.com/SecuringLinux.shtml
(Linux in particular has a WEALTH of information here in fact in the topic of securing it far, Far, FAR BETTER than the "default" shipping setup, & the above link is only a tiny sampling thereof too, mind you!)
AND?
Linux distros (many to most), also have SeLinux!
(Which the NSA themselves "bolted onto" std. Linux making it possible to have MAC (analog to Windows NT-based OS ACL's &/or an analog to Windows NT-based OS "Group Policies" (gpedit.msc) + "Security Policies" (secpol.msc)).
---
* So yes, OS' can be SECURED, & far better than they ship to "end users" by default... but, YOU have to take the time to do it yourself largely is all!
(There are tools that help, for Linux &/or Windows, there exists the CIS Tool which is multiplatform & does help guide "the novice" somewhat, & makes it almost "fun-to-do", like running a benchmark of system speed, albeit in CIS Tools' case, for security (based on security std.s/"best-practices", for the OS @ hand tested))
APK
P.S.=> However, THE MAIN PROBLEMS TODAY IMO? End users themselves being ignorant or uncaring about it, allowing for "spreading the disease" for one thing (ignorance IS excusable though, they're NOT "expert" @ computing etc. - but not helping them out on the part of those who ARE in fact, "expert", is imo, inexcusable by the same token)
AND, of course/as well:
The malware makers/hacker-crackers out online, in general, also... but - these types @ least do "1 good thing" imo @ least & that's POINTING OUT WHAT NEEDS TO BE FIXED!
So, "all that said & aside":
MS is doing the right thing, so are folks like GOOGLE on this account as another example thereof as well, & so far folks like Norton DNS, OpenDNS, & ScrubIT DNS also (they employ filtering DNS servers that are FREE TO USE, vs. malware, phishing, bogus DNS servers, botnet C&C Servers, known maliciously scripted sites, or sites KNOWN to serve up malware too!).
So, security's (especially "layered security", the best thing we as end users currently have going in fact in our favor) IS DOABLE, but you have to know what to look for, sometimes a guide too (because it's a WEE bit complex, but not really as opposed to harder things in the art & science of computing such as programming imo)
... apk
They point out what needs fixing/shoring-up, security-wise... & they don't "take advantage of it" typically, + do serious damage...
E.G.-> In fact, in the case of the UK's NHS? They even WARNED THEM that their administrative password file was WIDE OPEN for anyone to see/use in fact...
See here on that very note in fact:
---
LulzSec warn NHS of cyber attack hacking threat:
http://uk.ibtimes.com/articles/160624/20110610/lulzsec-lulz-security-nhs-health-service-cyber-attack-weak-hack-hackers-hacked-sony-nintendo-network.htm
---
* So, as you can see? Yes - There is "always some good to be made out of 'the bad'" (& in their case? They're not all bad @ all!).
(It really depends on HOW you look @ them & what they're doing is all... they could in fact, do a LOT worse!)
APK
P.S.=> "Onwards, & UPWARDS!!!", lol... apk
Instead of good programming practices, let's KEEP the idea of infinite spending alive by bringing in the GOVERNMENT to do what they do worst: swat bugs and help people!
Seriously: nobody ever calls for government help and GETS it, they get screwed. Remember what "Net Neutrailty" turned into?
PLEASE STOP ASKING FOR THE FED TO DESTROY THE INTERNET!