Slashdot Mirror
Malware Is a Disease; Let's Treat It Like One
jfruhlinger writes "The most common metaphor we have for computer malware — 'virus' — emphasizes that in many ways malicious computer code mimics biological pathogens. And yet, while the U.S. government has rapid response plans in place for an outbreak of a new disease, we're content to let the private sector react to hugely damaging computer infections. Tom Henderson thinks we need the cybersecurity equivalent of the CDC."
If you get good people staffing it, not a bad idea. It could focus on a lot of the massive but individually low-level threats, rather than some of the high-level stuff that the FBI does.
-- IANAL, this isn't legal advice, and definitely isn't legal advice for you. Also, Squee!
A lot of the rapid response plans the CDC has on the books call for things like quarantine and mass vaccinations.
The odds that grandma and grandpa have had their yearly flu shot are much higher than the odds that they're running a patched version of Windows.
And despite numerous proposals to cut off infected machines (aka quarantine) I've yet to see the idea implemented on a large scale anywhere other than college/university campuses.
[Fuck Beta]
o0t!
I'm guessing Tom doesn't mean Cult of the Dead Cow.
If I have been able to see further than others, it is because I bought a pair of binoculars.
Agencies are directed by political appointees,...
Who are motivated by political power. Why is an organization that is motivated by political power less suspect than an organization that is motivated by profit?
At least with a private company, if I don't like how they treat me, I can do business with someone else (or no one).
The truth is that all men having power ought to be mistrusted. James Madison
Please update to the latest version of Microsoft (tm) Windows (tm) 7 (R) Professional (tm) or Microsoft (tm) Windows (tm) 7 (R) Home to reconnect to the internet.
93rd rule of Slashdot: No matter how obvious my sarcasm is, my comment will be taken seriously by someone.
If a disease outbreak ravages the country and kills the young, the old, the weak, that would be a huge tragedy.
If a virus ravages the country and kills off Windows XP, Adobe Flash, and IIS, then the strong will have survived and the software world will be a better place.
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
I am always suspicious when government is the solution. I prefer to keep it in the hands of private companies.
Private companies are motivated by profit.
Agencies are directed by political appointees, but good ones tend to have a culture which focuses on institutional competence. (e.g. the solicitor general's office.) It does not make sense for individual companies to take the same measures that a society does--there are collective action problems. Some of those goals can be assumed by an agency working for government.
Private companies that want to continue to make a profit will make sure they get the job done. Political appointees, on the other hand, will keep their jobs if they fail, and most likely turn the failure into an increased budget, so next time they can fail on a more spectacular level.
When you're too stupid to properly name the problem you're trying to address then just BOAKYAG. I doubt there has been any threat from a virus in a decade; today's threats are trojans and worms.
Because we vote for the people that run the government.
Indeed - and when the options are douche and turd the sky is the limit to how fucked you can be.
In order to server you better the Government Department of Internet Security has installed Friendly Protector 1.0
Friendly Protector has determined you have 182 instances of unlicensed MP3's and movies please report to the nearest courthouse to pay your fine
Fine is 458,000 made payable to the MPAA/RIAA and current politicians election campaign
Friendly Protector has determined that you have 3 instance of adware, 1 instance has been approved and is now protected from removal on your system
Please download AV protection to remove the other 2 instances of adware
You have 1 instance of malware however we are unable to pursue this as our law enforcement branch is currently dispatching helicopters to your location to deal with the unlicensed copy of Ishtar found on your PC
Thank you for using Friendly Protector 1.0 and look forward to 1.1 and phone GPS tracking software to further protect your security.
I actually think that there's something going here. Pretty much all of us here, personally, would not benefit from government intervention - this is true. If you're here on /. reading the comments, I'll bet damn near all of us who have GOTTEN a virus, either did it on purpose or took a calculated risk expecting one. Most people who pick up malware are, to put it bluntly, idiots when it comes to computers.
And the bad part IMO comes from when they get themselves turned into zombies - I wouldn't mind seeing the government trying their hand at applying their force and legal requirements to this end. Because most people don't have a financial incentive to try to remove themselves from a botnet if they're part of one, they won't go through the effort - or spend the money - for a private solution. To them, it's just a hassle, and one they've got no reason to go through with. The only way to persuade them to deal with that, at least, is a bigger hassle - the government being a pain in the neck.
Now, for other malware, for phishers and scammers, hostile viruses and worms that attack you directly, I don't think the government can do much that the private industry isn't already doing - or the free software available is. When a problem comes up, they respond quickly, and I don't see how the government could aid aside from mandating some AV software of some kind - but that will already get rammed down your throat by whoever you call for tech support when your system goes belly-up, rendering it IMO not much improvement at all.
So, for diseases, we focus on prevention.
Oh, right, we'd rather take a magic pill (antivirus software) than do the right things to keep it from happening in the first place. Exercise and proper diet? No way! It's not my fault I'm fat!
http://www.us-cert.gov/
From the US-CERT "About Us" page:
US-CERT's mission is to improve the nation's cybersecurity posture, coordinate cyber information sharing and proactively manage cyber risks to the nation while protecting the constitutional rights of Americans. US-CERT vision is to be a trusted global leader in cybersecurity - collaborative, agile, and responsive in a complex environment.
Information is available from the US-CERT web site, mailing lists, and RSS channels.
US-CERT also provides a way for citizens, businesses, and other institutions to communicate and coordinate directly with the United States government about cyber security.
Who runs US-CERT?
US-CERT is the operational arm of the National Cyber Security Division (NCSD) at the Department of Homeland Security (DHS).
Where is US-CERT located?
US-CERT is located in the Washington DC Metropolitan area.
What is US-CERT's relationship to NCSD and DHS?
US-CERT is the operational arm of the National Cyber Security Division (NCSD) at the Department of Homeland Security (DHS). The NCSD was established by DHS to serve as the federal government's cornerstone for cyber security coordination and preparedness, including implementation of the National Strategy to Secure Cyberspace .
Right, and I'll bet you're a virgin too...
I'm pretty sure that's not how you get computer viruses.
This is just what our broke-ass, can't-find-it's-dick-with-it's-own-hands, defective government needs, another resource drain and another nanny role in which they clearly have no business.
You can attack this issue from a potential civil liberties point of view in that by giving someone a gun guarantees someone will abuse it by silencing their opposition.
You can attack this from a Capitalistic perspective by stating that it's not the government's job to force people into buying anti-virus software or keeping laptops updated so any likely solution will artificially punish users for not buying Microsoft/Apple's latest OS device.
You can also attack this from a potential security perspective that goes along the lines of, if the government requires everyone to have the same lock, all they need to do is find one weakness.
You can't simply say that this isn't the government's business and end of discussion however as there now a sizable fraction of our GDP and military force tied up into this single utility, doing so would be analogous to stating that the government does not belong in the areas of domestic security in the form of a functional police system and standing army.
I'd much rather have a company, whose profits are on the line (assuming the feds don't decide to bail them out), staffed by people, whose salaries are on the line, dealing with an issue than a bureaucrat who will use failure as an excuse to ask for a bigger budget. In private industry, failure is punished. In government, it's rewarded.
We have a company whose profits are on the line, staffed by people, whose salaries are on the line "dealing" with issues.
It's called Microsoft.
upon the advice of my lawyer, i have no sig at this time
Hey the stuff I get through the USPS in general is in better shape than the stuff I get through UPS or FedEx. I have gotten a number of packages through UPS and FedEx that looked like they have been backed over by the truck, or had foot prints on them thankfully most companies who ship stuff pack them accordingly so I haven't gotten prebroken stuff. Now you can trot out that the USPS looses money, but they have to go and get approval from our congress critters to raise their rates, must deliver service to all locations on all weekdays and Saturday which is something that UPS and FedEx don't have to do. There are things government should do and does well, the problem is when it gets into things it shouldn't (saving car companies) or when they try to privatize things they shouldn't (security contractors).
Time to offend someone
All right, all right ... Apart from the sanitation, medicine, education, wine, public order, irrigation, roads, the fresh water system and public health, what has the government ever done for us?
I am officially gone from
THE CDC exists because the consequence of not stopping an outbreak is a massive decline in the human population, such as during the plague in Europe. Malware infects computers because most IT departments are under staffed with no security budget, or sufficient knowledge.
Also, lets define what a break in is, a DDOS attack launched by anonymous IS NOT a break in, it's just merely exactly what it states and thats no service. So DDOSing a place like lockheed doesn't get you anything besides an arrest warrant. But Lock Heed is filthy rich, we can't all be that way, so maybe we need something else...
How about security certs? BBB ensures quality service from their businesses through membership. Why not have a ranking system for how strong your security system is. Say I don't want to give me SSN to a C ranked company over the web, but I have no problem with A.
The point being we can handle this w/o the government and be all the better for it.
But politicians backed by the MAFIAA would institute trusted computing and a locked up internet in the name of eradicating malware. People only have to think malware is eradicated at no cost for them to be reelected.
"People don't want to learn linux" hasn't been a valid excuse since '03.
Where did I say it was? However, an organization that I can voluntarily choose to work with or not( a private organization) is to be trusted over one which I must work with, whether I wish or not (a government agency).
The truth is that all men having power ought to be mistrusted. James Madison
This is the stupidest thing I have ever seen posted to Slashdot.
You must be new here...
Security DESPERATELY needs meaningful metrics. Infection rates would be a good start.
I did some thinking on this a year ago: https://it.wiki.usu.edu/SecurityPerformanceMetric
Comprehensive IT Epidemiology could provide us with meaningful ways to compare various approaches to security.
The problem is, nobody wants to share. It's too embarrassing.
Maybe if I start?
I do IT security for USU. From March 2009 to March 2010 some of our Infection rates were:
* Conficker: 15/12677 = .00118 or about 12/10K per year. 1/10K per month. .00158 or about 16/10K per year. 1.3/10K per month. .00039 or about 4/10K per year. .33/10K per month.
* Torpig: 20/12677 =
* Mebroot: 5/12677 =
Now, if only I could get stats from other institutions, and compare their security measures.
It would be heavenly to be able to perform meaningful evaluations on the effectiveness of our various security measures.
Miles
... I'm the cure. This is where the law stops and I start, sucker.
(Cue automatic weapons fire and explosions).