Slashdot Mirror
Malware Is a Disease; Let's Treat It Like One
jfruhlinger writes "The most common metaphor we have for computer malware — 'virus' — emphasizes that in many ways malicious computer code mimics biological pathogens. And yet, while the U.S. government has rapid response plans in place for an outbreak of a new disease, we're content to let the private sector react to hugely damaging computer infections. Tom Henderson thinks we need the cybersecurity equivalent of the CDC."
I am always suspicious when government is the solution. I prefer to keep it in the hands of private companies.
If you get good people staffing it, not a bad idea. It could focus on a lot of the massive but individually low-level threats, rather than some of the high-level stuff that the FBI does.
-- IANAL, this isn't legal advice, and definitely isn't legal advice for you. Also, Squee!
So why don't we just arrest and throw everyone in jail that catches a computer virus!
Sometimes the light at the end of the tunnel is the headlight of an oncoming train.
A lot of the rapid response plans the CDC has on the books call for things like quarantine and mass vaccinations.
The odds that grandma and grandpa have had their yearly flu shot are much higher than the odds that they're running a patched version of Windows.
And despite numerous proposals to cut off infected machines (aka quarantine) I've yet to see the idea implemented on a large scale anywhere other than college/university campuses.
[Fuck Beta]
o0t!
I'm guessing Tom doesn't mean Cult of the Dead Cow.
If I have been able to see further than others, it is because I bought a pair of binoculars.
If the malware purveyors have broken the law, let the government prosecute them as needed.
Otherwise a plan like this involves more bureaucracy, money, privacy invasions, red tape, and inefficiencies. Worse, you're proposing an agency whose work will necessarily cross borders adding to the complexity. Make it more lucrative for private industries to report infections to law enforcement, remove the stigma of having been "infected", and easier to prosecute or recover damages.
This is just what our broke-ass, can't-find-it's-dick-with-it's-own-hands, defective government needs, another resource drain and another nanny role in which they clearly have no business.
-- You are in a maze of little, twisty passages, all different... --
no, there's plenty of government money dumped to it in almost every country. is it doing any good? not much, the main thing what it becomes is that some guys who get dumped lots of money just go around making the same lectures every now and then, with powerpoint slides saying "unix is a security protocol" and shit like that. and the damages can't be measured as it's just human placed value on it, making the data losses and breaches in actual money(or hardware) hard to measure.
"Yes, there’ll be some that won’t be vaccinated for religious reasons. Their systems need to be partitioned from infecting others. I don’t know the mechanism to do this, but Network Admittance Control is a thought.". his solution would actually be that every machine is vulnerable to government infection, actually being a botnet to begin with. so, fuck his solution, fuck him.
world was created 5 seconds before this post as it is.
Please update to the latest version of Microsoft (tm) Windows (tm) 7 (R) Professional (tm) or Microsoft (tm) Windows (tm) 7 (R) Home to reconnect to the internet.
93rd rule of Slashdot: No matter how obvious my sarcasm is, my comment will be taken seriously by someone.
If a disease outbreak ravages the country and kills the young, the old, the weak, that would be a huge tragedy.
If a virus ravages the country and kills off Windows XP, Adobe Flash, and IIS, then the strong will have survived and the software world will be a better place.
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
This agency would have to have international power and able to act swiftly. It would be nice to see some high profile punishment for hackers on the payroll of organized crime in countries that are weak on enforcement. Maybe we should take a Vegas casino stance on these guys like they do with their cheaters. Have fun with your "1337" hacking skills after someone breaks all your fingers with a hammer.
I Cater to the Needs of Stupid People. - from a coffee mug Christmas gift
Sure, right now, malware is used to spew spam, steal credit card data etc... but one has to recognize that it is very resilient against all efforts to eradicate it. Fast forward a few years or in other regions, where Government wants to assume total control of the 'Net. Wouldn't malware be the only piece of distributed p2p software being able to resist total censorship? Let's not dismiss malware just because it is being used for nefarious purposes now: it could come very handy in the not too soon dystopian future.
cpghost at Cordula's Web.
Cyber Defence Council!
how is babby formed?
The thing about the CDC is that it is possible to immunize and/or treat basically anyone. Financial and logistical concerns may make doing so impractical, but where treatments exist, they tend to work to varying degrees in just about anybody.
Malware isn't like this. Older software tends to lapse out of support. That's not an insurmountable problem in the OSS community, where the source code to the OS is available so that someone other than the maintainer could write a patch. But with closed and obsolete operating systems -Win95, for example, or Mac OS 9- who's going to write the patches?
When you're too stupid to properly name the problem you're trying to address then just BOAKYAG. I doubt there has been any threat from a virus in a decade; today's threats are trojans and worms.
Take your example of the solicitor general. They are supposed to argue the position of the United States Government in the Supreme Court.
The official position of the United States Government, by the passing by the House and Senate and signing by the President, is the Defense of Marriage Act. It is the law of the land regardless of its (IMHO) stupidity.
However, due to political considerations, the "institutional competence" of the United States Solicitor General will not be used to defend the position of the United States Government as it its mandate.
Likewise, for political reasons the Department of Justice refuses to use its professional competence to prosecute egregious examples of race-based voter intimidation.
However, this issue of malware is not likely to be political, so the government might actually do a pretty good job in this role. It is interstate in nature, and it is a role, like fire departments, that is not efficiently served by free market solutions.
In order to server you better the Government Department of Internet Security has installed Friendly Protector 1.0
Friendly Protector has determined you have 182 instances of unlicensed MP3's and movies please report to the nearest courthouse to pay your fine
Fine is 458,000 made payable to the MPAA/RIAA and current politicians election campaign
Friendly Protector has determined that you have 3 instance of adware, 1 instance has been approved and is now protected from removal on your system
Please download AV protection to remove the other 2 instances of adware
You have 1 instance of malware however we are unable to pursue this as our law enforcement branch is currently dispatching helicopters to your location to deal with the unlicensed copy of Ishtar found on your PC
Thank you for using Friendly Protector 1.0 and look forward to 1.1 and phone GPS tracking software to further protect your security.
I actually think that there's something going here. Pretty much all of us here, personally, would not benefit from government intervention - this is true. If you're here on /. reading the comments, I'll bet damn near all of us who have GOTTEN a virus, either did it on purpose or took a calculated risk expecting one. Most people who pick up malware are, to put it bluntly, idiots when it comes to computers.
And the bad part IMO comes from when they get themselves turned into zombies - I wouldn't mind seeing the government trying their hand at applying their force and legal requirements to this end. Because most people don't have a financial incentive to try to remove themselves from a botnet if they're part of one, they won't go through the effort - or spend the money - for a private solution. To them, it's just a hassle, and one they've got no reason to go through with. The only way to persuade them to deal with that, at least, is a bigger hassle - the government being a pain in the neck.
Now, for other malware, for phishers and scammers, hostile viruses and worms that attack you directly, I don't think the government can do much that the private industry isn't already doing - or the free software available is. When a problem comes up, they respond quickly, and I don't see how the government could aid aside from mandating some AV software of some kind - but that will already get rammed down your throat by whoever you call for tech support when your system goes belly-up, rendering it IMO not much improvement at all.
So, for diseases, we focus on prevention.
Oh, right, we'd rather take a magic pill (antivirus software) than do the right things to keep it from happening in the first place. Exercise and proper diet? No way! It's not my fault I'm fat!
http://www.us-cert.gov/
From the US-CERT "About Us" page:
US-CERT's mission is to improve the nation's cybersecurity posture, coordinate cyber information sharing and proactively manage cyber risks to the nation while protecting the constitutional rights of Americans. US-CERT vision is to be a trusted global leader in cybersecurity - collaborative, agile, and responsive in a complex environment.
Information is available from the US-CERT web site, mailing lists, and RSS channels.
US-CERT also provides a way for citizens, businesses, and other institutions to communicate and coordinate directly with the United States government about cyber security.
Who runs US-CERT?
US-CERT is the operational arm of the National Cyber Security Division (NCSD) at the Department of Homeland Security (DHS).
Where is US-CERT located?
US-CERT is located in the Washington DC Metropolitan area.
What is US-CERT's relationship to NCSD and DHS?
US-CERT is the operational arm of the National Cyber Security Division (NCSD) at the Department of Homeland Security (DHS). The NCSD was established by DHS to serve as the federal government's cornerstone for cyber security coordination and preparedness, including implementation of the National Strategy to Secure Cyberspace .
Singlehandedly, I'm most of the way there. I'm not saying it to toot my own horn, but as a statement of fact. I've already got 7 (technically 8) databases implemented and currently in the process of creating three more. I don't really consider offensive.dat in the database list because it's designed for parental control scanning. http://www.tot-ltd.org/installation.db http://www.tot-ltd.org/blacklist/0-F http://www.tot-ltd.org/whitelist/0-F http://www.tot-ltd.org/API/ http://www.tot-ltd.org/ports/ http://www.tot-ltd.org/heuristics.dat http://www.tot-ltd.org/packer.db
I'd much rather have a company, whose profits are on the line (assuming the feds don't decide to bail them out), staffed by people, whose salaries are on the line, dealing with an issue than a bureaucrat who will use failure as an excuse to ask for a bigger budget. In private industry, failure is punished. In government, it's rewarded.
We have a company whose profits are on the line, staffed by people, whose salaries are on the line "dealing" with issues.
It's called Microsoft.
upon the advice of my lawyer, i have no sig at this time
Hey the stuff I get through the USPS in general is in better shape than the stuff I get through UPS or FedEx. I have gotten a number of packages through UPS and FedEx that looked like they have been backed over by the truck, or had foot prints on them thankfully most companies who ship stuff pack them accordingly so I haven't gotten prebroken stuff. Now you can trot out that the USPS looses money, but they have to go and get approval from our congress critters to raise their rates, must deliver service to all locations on all weekdays and Saturday which is something that UPS and FedEx don't have to do. There are things government should do and does well, the problem is when it gets into things it shouldn't (saving car companies) or when they try to privatize things they shouldn't (security contractors).
Time to offend someone
of Outbreak http://www.imdb.com/title/tt0114069/.
If we treat it like a disease, then we should just "manage" the symptoms with overpriced "treatments," instead of actually fixing the problem.
giggity
... biological warfare. Malware didn't evolve naturally, it was engineered.
No software is released 100% bug free (though I'll acknowledge that some players can do a better job). Once in the hands of the consumers, many of them don't update their products regularly, so even a system that was soundly coded and fully patched at the time of its initial deployment may well end up being a security risk down the line as new exploits are uncovered.
I use irony whenever I can, but my shirts are still wrinkled...
All right, all right ... Apart from the sanitation, medicine, education, wine, public order, irrigation, roads, the fresh water system and public health, what has the government ever done for us?
I am officially gone from
Become truly awful due to some element of human stupidity or laziness. People dump their poo on the sidewalks, businesses continuing to use IE6 instead of porting apps to standards,etc
Well in that case, this magical government entity that was designed to protect us from all malicious infections would get in bed with the security companies. Because who else is going to fund this big grand organization? Our tax dollars?? HA! So after Symantec and McAfee get in bed with this Cyber CDC or CCDC, they will tell the CCDC what is profitable to them for the CCDC to label a virus. And so it goes that certain malware will not be profitable to treat and will thus be considered a bogus threat. Or you can look at the real world example with the CDC and Lyme disease.
The problem is that the creation of such a thing would likely be just a giant 4th amendment violation most likely. Furthermore what does this group do exactly? Do they just cut you off the internet? Do they go on site and attempt to 'cure' the infection giving the businesses even less reason to keep themselves clean? Do they go on site and just take all infected computers never to be returned?
Pretty sure regardless of the action done it's going to be a disaster waiting to happen.
But the DOMA decision was highly controversial, even within the office, and is by far an outlier. For the most part, when new administrations come in they are gung-ho to use the SG's office to get all of their preferred cases to SCOTUS (i.e. the ones they'll win on), but the SG's office never winds up trying to do that because the long term institutional role of the office would be greatly undermined if they did.
In addition, its mandate is *not* to defend DOMA--its mandate is to represent the United States Government, which does not mean fighting every case where they have an unsanctionable argument. In addition, where the issue comes before the Supereme Court, there is *zero* chance that there will not be competent representation if they drop out--it would be more worrying at the circuit level.
-- IANAL, this isn't legal advice, and definitely isn't legal advice for you. Also, Squee!
THE CDC exists because the consequence of not stopping an outbreak is a massive decline in the human population, such as during the plague in Europe. Malware infects computers because most IT departments are under staffed with no security budget, or sufficient knowledge.
Also, lets define what a break in is, a DDOS attack launched by anonymous IS NOT a break in, it's just merely exactly what it states and thats no service. So DDOSing a place like lockheed doesn't get you anything besides an arrest warrant. But Lock Heed is filthy rich, we can't all be that way, so maybe we need something else...
How about security certs? BBB ensures quality service from their businesses through membership. Why not have a ranking system for how strong your security system is. Say I don't want to give me SSN to a C ranked company over the web, but I have no problem with A.
The point being we can handle this w/o the government and be all the better for it.
Anti-virus companies have a very strong built-in incentive to never actually put an end to malware, because that would put them out of business.
Politicians have a built-in incentive to permanently eradicate malware, because the politician who did that would then certainly be either appointed or elected to a more powerful, more profitable post.
Sanitation: usually run by private companies (Allied Waste, etc.) at no tax cost an less cost per month than Netflix.
Medicine: FDA/etc. only serve to make sure nothing breaks too badly. They have helped prevent abuses at times but are also guilty of preventing life-saving treatments for questionable reasons.
Wine: Really?
Public order: Sorta, but most of the really useful stuff is local, not federal. Just look at the DEA/BATF and the Mexican cartel gun sting (and others) for myriad reasons why they suck at it.
Irrigation: you mean like the flooding all along the artificially screwed up Mississippi this year? Yeah, bad example, brah.
Roads: another love/hate situation. In Texas, road crews are usually pretty efficient (block off a quarter mile of road for a few weeks, then move on to the next quarter mile) where Louisiana road crews are the epitome of sloth (ever drive I-10 in the 80s/90s? Dozens of miles of interstate reduced to single-lane traffic and you MIGHT find one truck every few miles).
Fresh water: fair enough but again this is largely a local government issue, not federal. Then again, the science behind flourination and other treatments isn't settled yet, so not sure if this isn't something in a decade we'll all be decrying as another government boondoggle.
Public health: Yes/no. Smallpox and such, great. DDT and others, not so much.
We could argue for ages about government vs private sector and not agree. It's a good thing we have the ability to disagree without the government hauling us off to jail, eh? ;)
Sanitation: Like the government garbage strikes in NYC, where trash piled up for weeks? A private company would get the trash picked up (unless prevented from doing so by "labor laws").
Medicine: Government has run up the costs, and slowed the pace of innovation. When rich Canadians need surgery they leave their socialized system for the semi-socialized US system.
Education: Like in Atlanta, where the government schools cheat to get money? The more control government has gained over education, the worse it has become. Or the fact that almost half of all US high school graduates are functionally illiterate.
Wine: I have no idea what that has to do with government.
Public Order: Wars in Libya, Iraq, Afghanistan, Yemen, Somalia, Panama, the Baltics. That's just a sample of the US's "public order" this century. If we look at the last century, we can add the Holocaust, the Soviet purges, the Killing Fields of Cambodia, Mao's cleansing, and countless other atrocities. Cops commit more murders in the US than they prevent, and as in the cases of Jose Guerena or John T. Williams, they get away with it. I refrain from murder, rape, and theft because it's wrong, not because it's illegal. And the vast majority of the population does as well.
Irrigation: All the irrigation systems I know of are private. But I don't claim any level of expertise in the field.
Roads: High quality roads, indeed! A private firm would see a bridge (or a road) as an asset to be maintained, in order to reduce the risk of lawsuits, and maintain revenue. To government it's an expense with nothing new and shiny to show the voters.
Fresh water: That would be fairly difficult to do in private industry...at least the way we do it now. But it's not done at the federal level. The farther control of something gets from the people, the worse it seems to get.
Public Health: Is having idiots scream that we're all going to die from the bird flu, or the swine flu, or the flying pigs flu a good thing?
Other than those things, government is responsible for hundreds of millions of murders, stealing wealth from its owners and diverting it to those with political connections (particularly banks and military contractors), and generally slowing the progress of our society.
This is the stupidest thing I have ever seen posted to Slashdot.
"Ayn Rand is a bloody socialist compared to me." - Robert A. Heinlein
Give me a break. A cybersecurity version of CDC? Beyond the billions of taxpayer waste funding that abomination, care to explain how in the hell even the most ignorant dumb-ass moron user can't understand the simple instruction of "turn it off"?
Malware is localized and contained within a hard drive, and instructions are just that simple to contain it. Turn the damn thing off, or disable all network interfaces. I don't need a multi-billion dollar agency telling me something the evening news could do just as easily. You're preventing Malware from spreading, not trying to control Ebola from killing your kids. And no, I don't give a shit how bad teenagers cry, it is possible for the human body to continue to function without the Internet or a cell phone if absolutely necessary.
AC, Please look up "straw man fallacy".
Do you really think it's the government that's the only threat to your liberty. Do you suppose that corporations are interested in preserving your freedoms? If we can't check corporate power through government, how shall we do so?
A politician can render a competent worker incompetent by telling him not to apply that competency.
No matter how capable you are, you can't do your job if you're told not to.
Security DESPERATELY needs meaningful metrics. Infection rates would be a good start.
I did some thinking on this a year ago: https://it.wiki.usu.edu/SecurityPerformanceMetric
Comprehensive IT Epidemiology could provide us with meaningful ways to compare various approaches to security.
The problem is, nobody wants to share. It's too embarrassing.
Maybe if I start?
I do IT security for USU. From March 2009 to March 2010 some of our Infection rates were:
* Conficker: 15/12677 = .00118 or about 12/10K per year. 1/10K per month. .00158 or about 16/10K per year. 1.3/10K per month. .00039 or about 4/10K per year. .33/10K per month.
* Torpig: 20/12677 =
* Mebroot: 5/12677 =
Now, if only I could get stats from other institutions, and compare their security measures.
It would be heavenly to be able to perform meaningful evaluations on the effectiveness of our various security measures.
Miles
Step 1: Draft a law that says anyone writing a computer virus or malware that causes significant damage to users computers to be liable for all the damage and spend up to life in prison for their efforts. This crap is no different than walking into 100,000 - 100,000,000 homes and either smashing their computer or taking a couple of hundred bucks out of their wallet.
Step 2: Get all of the worlds nations to agree with the law and enforce it within their borders. Anyone who doesnt feel like it gets no aid from anyone else ever again.
Step 3: Watch most of these morons find something else to do with their spare time.
Step 4: Watch the ones that arent smart enough to do something else spend 45 years making license plates and sending their earnings to the computer users who had to buy a new computer or pay someone to fix theirs.
Despite loading antivirus and antimalware software on every computer in my extended family, about 75% of them annually get malware that cripples and eventually renders the machine useless. It usually takes me 3-5 hours to run scans, remove the malware, and recover their data. At this point I have a backup of everybody's machine so I can just restore them in 15 minutes to a previous working state. What a huge waste of my time and resources.
While they are ordered NOT to do their duty and defend the position of the United States Government.
In general though, I would hope they are among the least competent people in government. These are the people who defend laws that are very often unconstitutional. They were the ones defending the the various civil rights abuses caused by the war on drugs.
The way we treat disease is by ignoring cures, developing expensive treatments, and enslaving the patients to life-long pill taking to keep the disease in check while they are milked of their hard earned money.... Even anti-virus software makers are that evil...
Whoa! Here's a concept; how about we treat crappy OSes like a disease?
Cells get infected when rogue genetic material gets past their defenses. A single infected cell can eventually lead to massive side effects.
The same thing is true when rogue programs get past firewalls, antivirus, etc.. A single computer can result in network wide side effects. Thus far the analogy holds, and is a helpful tool.
Unlike the situation with our cells, we can redesign the way our operating systems work, so that they don't trust programs. This shift would then allow the user (or administrator) to decide what resources would be made available to any given instance of a program. This makes it practical to limit the side effects of a rogue program, or even one which just has a bug.
Computer security can be FIXED, and we should start working on it now, so that the lack of a solution isn't used as an excuse for more intrusion, and destruction of liberty.
... I'm the cure. This is where the law stops and I start, sucker.
(Cue automatic weapons fire and explosions).
My thoughts exactly. Apparently with how we got modded I'm guessing slashdotters don't share the same opinion.
I really do think this is the right move. Being on the Internet is a privilege not a right. It's like driving on the autoban. If your machine is crippled, get over in the slow lane and stay there or you will get hurt; if your machine is healthy and strong open up the pipes and let 'er rip. Most people with a droned computer won't know any difference if their being filtered and throttled. Who cares??? It fixes the rest of the world and they dont even know the difference. And if they do figure it out, even better cause they can fix their problem and have their service fully restored.
For a while now I've come to the conclusion that the government should provide all essential services (water, electricity, Internet, postal service, mass-transit, etc.) via non-profit companies whose purpose it is to provide an acceptable quality at an acceptable price. At the same time, there is no state monopoly and anyone who feels he can do better is free to try.
The private sector always claims it is more efficient than state-run companies. That's what brought us the whole desaster of privatisation. Well, if they are so much better, they will have no trouble competing and offering either better service or better price, or even both.
Assorted stuff I do sometimes: Lemuria.org
Instead of good programming practices, let's KEEP the idea of infinite spending alive by bringing in the GOVERNMENT to do what they do worst: swat bugs and help people!
Seriously: nobody ever calls for government help and GETS it, they get screwed. Remember what "Net Neutrailty" turned into?
PLEASE STOP ASKING FOR THE FED TO DESTROY THE INTERNET!