Slashdot Mirror
White House Announces Initiative To Fight Botnets
benfrog writes "ISPs and financial-services companies would share data about computers made into botnets under a pilot program announced today by the Obama administration. From the article: 'The voluntary principles announced today include coordinating across sectors and confronting the problem globally. They were developed by the Industry Botnet Group, comprising trade groups including the Business Software Alliance and TechAmerica.' The White House is also backing a bill proposed by Joe Lieberman that would put the Department of Homeland Security in charge of cybersecurity of vital systems such as power grids and transportation networks."
Anyone want to start taking bets as to when a copy of uTorrent or Transmission will deem you as a part of the botnet?
I feel safer already.
I try not to be paranoid, but when I see the BSA and the department of Homeland Security are joining forces, I can't help but have a feeling of dread...
It really makes me wonder just what constitutes a botnet. After all, large numbers of computers contributing to torrent downloads are a form of bonnet also.
If this doesn't make you think the government has too much money and free time, nothing will.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Bittorrent = Terrorism.
I guarantee the BSA scumbags are already pushing this point.
Do not look at laser with remaining good eye.
if botnets were the issue they'd ban windows and bam! all botnets down.
but botnets aren't the issue. illusion of control is.
It makes sense for "Homeland Security" to secure power grids, and critical infrastructure.
They know nothing of computer security, botnets, or doing much more than confiscation.
The BSA knows even less.
I would be excited to see a team of REAL security experts (Schneier and Kasperksky)
working together with the folks at http://garwarner.blogspot.com/ to eliminate the real threats.
Grandmothers, breastfeeding mothers, little girls with insulin pumps, and people who copy
Windows 98 are _NOT_ the real threat.
Ehud
to think that this is a not very subtle attempt to give the government an excuse to build a Great Firewall of America?
anything by him is suspect, that dude is human scum.
Great. I'm sure this will be every bit as successful as the war on poverty, war on drugs, war on terrorism. How are those doing anyway?
Is total garbage. He's one of the worst people in the world...total scumbag.
It is humorous that the BSA is taking charge of solving a problem that is essentially created by its members (and not able to solve it). The BSA is all about fighting for proprietary software. They ensure third parties (like antivirus companies) can't fix the code which lets botnets propagate and they ensure we don't have an Debian-like/apt-get like solution to software maintenance, distribution, and trust models.
This BSA lead solution is bound to fail.
The only thing I can conceive of working well to reduce or eliminate botnets is to free the software, implement official security standards all software need comply with, and fix the distribution problem. We would need to properly fund free software platforms and ecosystems. The move to free software with carefully scrutinised (think Debian) channels of trust exist and the software is available for third party review. These software repositories should require certain minimum security standards too. For the most part it's already being done as such with Debian although without any such standards (apart from trust in relation to distribution). They need to eliminate all but essential features of applications which execute scripts.
- applications should not generally implement support for unnecessary scripting features, embedded objects, etc
1. Web browsers should not have flash, PDF readers, java applets, GPU accelerated 'gaming' features, or silverlight.
2. PDF software should not support scripting or embedded objects (like flash).
3. Office software should not support macros; there is a business case although that needs restrictions and should not generally be in consumer office applications. Even within the business situation there needs to be restrictions on the businesses users ability to install such macros without technical advise.
4. E-mail clients and similar should not support scripting or even html except for a minimal subset of features.
5. Instant messaging software should also not implement scripting and limit any HTML to a subset of the standard.
6. Applications should not install third party plug-ins to web browsers or similar.
Just like measures they tried to introduce in the name of stopping child pornography, this seems harmless and well-intentioned at first; but with the BSA and DHS involved I cringe to think how it will be abused.
wake me when the white house announces an initiative to fight robots, but only if they enlist Magnus
Do we really need even more governmental? BSA is right up there as well.
If I'm not mistaken, don't we already have at least one or two government agencies involved in information security? Why do we need to have more?
people still copy windows 98?
have you seen my sig? there are many others like it but none that are the same
Personally approved by the President? Will there be video of the drone strikes?
I prefer windows 95 - 00000-00000-00000-00000-00000 gotta love it
should I expect a takedown coming my way now?
have you seen my sig? there are many others like it but none that are the same
so...why dont you make all these pieces of software you believe should be made "your way"? I dont disagree with your wishlist,but dont just complain about it be about it
have you seen my sig? there are many others like it but none that are the same
It's cooperative effort to confront a huge, insidious problem on the internet. I'm as paranoid about government control, but this is hardly a blip flashing on my radar. My only problem is that by giving Homeland Security a vital role, it's that much more unlikely that it'll ever go away.
I swear to God...I swear to God! That is NOT how you treat your human!
so...why dont you make all these pieces of software you believe should be made "your way"? I dont disagree with your wishlist,but dont just complain about it be about it
So nobody has a right to criticize anything that they don't personally have the skills to do themselves?
If you're dissatisfied with the airlines, don't bother with criticism, start your own. Train is late? Don't bitch. Start your own railroad. Your doctor commit malpractice or just does a crappy job? Don't whine, go to medical school and treat yourself. Your lawyer falls asleep in court and fails to properly represent you? Don't file a complaint with the Bar, get a law degree and represent yourself.
See how silly and arrogant that attitude is now?
Strat
Progressivism (aka US 'Liberalism'): Ideas so good they need a police/surveillance-state to enforce.
as a response people all the world over join anonymous and become botnets :P
fuck you obama
Does it strike anyone else as ironic that on the one hand the United States is rushing to develop what it calls "cyber weapons" (side note: why must everything be prefixed with cyber anyway, especially when it has nothing to do with man machine integration?), which would include autonomous programs communicating amongst themselves and coordinating activities via a command / control channel (i.e. a "botnet"), while at the same time announcing an initiative to "fight" the very programs that they are also creating? Why must everything be couched in language suggesting a "war on whatever"? Why not simply say, "we will respond in kind to those who attack us using these weapons", acknowledging the obvious fact that such weapons are inevitable, and leave it at that.
First, there isn't anything the US government can do that isn't already being done.
Second, this will serve as justification for a massive expansion of US Executive power onto the currently anarchic internet.
I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
We need the government "helping" fight botnets.
Capability based security can fix this, virus scanners and blind linux fanboyism aren't enough any more.
With Mr. Mitt Romney gaining the delegates to win the GOP nomination, President Barak Hussien Obama II with blessings from the US Dept. of Justice and with help from the Central Intelligence Agency, Secret Service and Federal Bureau of Investigation has ordered the killing, murder, of Mr. Mitt Romney and all family members of Mr. Romney in the name of President Obama. :|
to a point yes, to another point no,
/. , of course the best answer is build it yourself!
it takes many materials to create an airline or a railroad, it takes a word processor and a compiliar to create a program, the knowledge part is free, and 1000% in your control. and with torrents out there, you can clearly get the tools needed to create such a product to suit your needs
this is
have you seen my sig? there are many others like it but none that are the same
it takes many materials to create an airline or a railroad, it takes a word processor and a compiliar to create a program, the knowledge part is free, and 1000% in your control. and with torrents out there, you can clearly get the tools needed to create such a product to suit your needs
What a narrow view you have, grandma!
You are aware that there are people who spend all their time doing much more important things than write software, right? Like a nurse that works 60-70-80 hours or more a week taking care of sick/dying people, and then has to come home and take care of a family and doesn't have the time or energy to learn programming and then fix some random application.
That "fix/write it yourself or don't criticize" attitude is fine for somebody that doesn't have an important & essential full-time career already, and lives in their mom's basement with all the time in the world and an endless supply of Mountain Dew & Cheetos that your mom keeps stocked.
It doesn't fly in the real world, however.
You really should get out more. There *are* other things in life, and some of those things are more important than coding, even.
Strat
Progressivism (aka US 'Liberalism'): Ideas so good they need a police/surveillance-state to enforce.
option one: whine about software and ... well thats it, hope it gets fixed automagically
option two: either write or help other write/fix the software... job done.
you get to pick either option one OR option two.
Department of Homeland Security in charge of cybersecurity of vital systems such as power grids and transportation networks
The DHS tried to search trains and was told to fuck-off. They're already searching cars without probable cause. What else can they do? Search people who open a meter box. They'll be on a first name basis with a lot of farmers and electricians.
http://www.wired.com/threatlevel/2012/05/flame
I hear rumors that a nation state in the middle east is responsible for this; no time for evidence or due process, start the drones!
Nothing is more important than coding! You're delusional, stop fantasizing about nurses!
option one: whine about software and ... well thats it, hope it gets fixed automagically
option two: either write or help other write/fix the software... job done.
you get to pick either option one OR option two.
OR, how about thinking of the solution in more than black and white, one extreme or the other, terms?
Look, I get it that you write the stuff mostly because you wanted to for your own reasons, and it's wonderful that you've shared it when you didn't have to at all. You're under no obligations, that's understood. But there needs to be some better way to do things that allows the users a more convenient & friendly way for users to find willing programmers and pay for changes/improvements.
How about a web service programmers could join (or not) where users can submit programming tasks and programmers can bid on doing the work? Have a ratings system for both programmers and users/bidders, maybe along similar lines to how Ebay rates it's buyers and sellers.
Not sure if that *exact* solution is workable, but there *has* to be some innovative ideas out there that would work. At least, if people would stop thinking in binary terms.
If someone could hit on the right formula, such a service could become huge. It would also greatly advance the practicality of using open source software. Never mind a whole new way for independent programmers to make money on their terms.
Strat
Progressivism (aka US 'Liberalism'): Ideas so good they need a police/surveillance-state to enforce.
Think about it: It's NOT so different from folks creating DNSBL's by coordinating w/ one another on WHICH sites/servers are hosting botnet C&C servers (to block them out) OR doing what I do with custom HOSTS files, which is Blocking out KNOWN sites/servers/hosts-domains that:
---
A.) Host malicious script in their content
B.) Host malicious script in their adbanners
C.) Serve up malwares
---
Between securing a system & educating end-users more/better on the sources of attack + conscientious patching OR even "security hardening" tweaking (such as cutting off services you don't need that MAY have remote exploit vulnerabilities + far more), & group security based policies, ala guides like this one:
http://www.bing.com/search?q=%22HOW+TO+SECURE+Windows+2000%2FXP%22&go=&qs=ns&form=QBLH
Which, in essence & practice does ALL of the above (mostly in stopping users from indiscriminately accessing the MOST USED THREATS against them), typically of:
---
1.) Maliciously scripted website pages (mostly javascript)
2.) Faulty JAVA apps or exploits of JAVA vulnerabilities
3.) Faulty Adobe apps (e.g. - FLASH exploits)
---
?
* You've got MOST of the game "licked"/beaten... I've been doing it MOSTLY via sites that host information on KNOWN sites/servers/hosts-domains that block ALL of the above known threats... & yes, it actually works!
The community online's been taking care of itself on THAT front, via lists for custom DNSBL's &/or custom HOSTS files for a LONG TIME now... & again - it works, for the same ideas/principles these guys are reaching for now (community sharing of vital information - in essence/effect, a sort of "security crowd-sourcing")...
THUS, above & beyond std. client-side workstation node security, server-level security + app level security & patching?
The rest you'd get by blocking out those KNOWN malicious sites/servers/hosts-domains (& their pages known to serve up malicious script OR malwares + botnet C&C servers etc./et al...)
APK
P.S.=> It could be an aid to a principle I've been using for decades of "what you can't touch, can't hurt you" & by blocking out those things enumerated above? You get that...
Simply thru sharing such information for blocking them off from users either thru custom HOSTS files, firewall rules tables, OR DNSBL's server-side @ the DNS server level (preferably ALL 3 measures in combination, along with ONLY USING JAVA or JavaScript + plugins in FLASH only where you ABSOLUTELY NEED THEM for function only) - it could be a VERY effective tool vs. online exploit (& it does work, I've been doing the same basic idea for decades along with many users)... apk
http://news.slashdot.org/comments.pl?sid=2884651&cid=40164875
* I also agree that perhaps giving "big gov't." MORE "power" MAY NOT be a 'great idea' though...
HOWEVER: Is it "bad" in this case?
E.G.-> The idea of coordinating MANY ISP/BSP's together for collaborative infornation
For
I.E.-> Stalling botnet C&C servers' communications (along with other measures in "crowd-sourced" fashion such as stopping access to KNOWN threats from sites/servers/hosts-domains that are KNOWN to serve up malicious scripting, bogus adbanners, malware, or botnet C&C servers etc./et al)...
I think it's a potentially VERY good thing, personally!
APK
P.S.=> Pretty much the SAME THING has been going on for MANY YEARS for folks like myself that use custom HOSTS files for blocking out those things I noted above for better "layered-security"/"defense-in-depth", & I can see applying such methods for the creation of DNSBL's + firewall rules tables too for even more of the same, albeit this time, between ISP/BSP's... not a bad idea, imo @ least!
... apk The idea of coordinating MANY ISP/BSP's together for collaborative infornation
For
I.E.-
1. Web browsers should not have flash, PDF readers, java applets, GPU accelerated 'gaming' features, or silverlight.
2. PDF software should not support scripting or embedded objects (like flash).
3. Office software should not support macros; there is a business case although that needs restrictions and should not generally be in consumer office applications. Even within the business situation there needs to be restrictions on the businesses users ability to install such macros without technical advise.
4. E-mail clients and similar should not support scripting or even html except for a minimal subset of features.
5. Instant messaging software should also not implement scripting and limit any HTML to a subset of the standard.
6. Applications should not install third party plug-ins to web browsers or similar.
I have a better suggestion:
I scanned the comments and is no one alarmed by this? It doesn't seem too paranoid to think that DHS (who does a swell job running the TSA) would shut down the electricity grid "to protect it". There are already VIPR teams stopping vehicles on the highway. CBP and DHS has been seen at the Detroit Electronic Music Festival. DHS ordered 450 million rounds of .40 hollow points. Draw your own conclusions.
As far as blocking KNOWN bad host-domain names/sites-servers? Doesn't matter - they're MEANT to be blocked off & currently, I blockout 1,787,196 of those...
As far as my favorite sites I go to "hardcoded" into the hosts file?
Ahem - They're the "TOP 20" entries (I only keep 20 now) items in my hosts file, & read immediately!
(Especially once cached into memory by the local diskcaching kernelmode subsystem after the initial 1st read...).
Thus?
Heck - Even a B-Tree seek over 2++ million hosts file record entries wouldn't make a difference in speed...
(Do the math: You'll see I actually do about the same, OR LESS, seeks than you would in a binary tree seek over that many hosts file entries records)
All since I place my "favorite sites" @ the topmost spots in my custom hosts file so even IF the DNS system goes down (like is expected for infested users on July 9th via DNSChanger), or DNS poisoning redirection is done to DNS servers (even though I use the "best ones in the biz" as far as those that filter vs. known online threats, in OpenDNS, Norton DNS, &/or ScrubIT DNS in both my hardware router firewall + my Windows IP stack DNS settings)?
I'll still have the ADDED RELIABILITY of resolving those favs sites of mine locally, & be doing it FAR FASTER than calling out to potentially downed OR dns poisoned redirected DNS servers... by far.
(Blocking out adbanners does the rest, & gains users HUGE amounts of absolutely NOTICEABLE speed... see below on that much in fact from your peers on /., and, security pros too!)
Good luck disproving any of what's written above, OR especially BELOW... you'll NEED it!
APK
P.S.=> So much for trolls & their off-topic b.s., lol... & you KNOW I've just GOTTA say it: This?
This was just "too, Too, TOO EASY - just '2EZ'", as always, in dispatching off-topic trolls that are WEAK in their computing technical skills...
Lastly - I'd also like to "toss this one on" for good measure, in your /. peers AND security experts/pros agreeing that custom HOSTS files can benefit end-users of them in more speed/bandwidth, more "layered-security"/"defense-in-depth", reliability, & even 'anonymity' to an extent (bypassing unjust DNSBL's &/or DNS request logs):
---
20++ SLASHDOT USERS EXPERIENCING SUCCESS USING HOSTS FILES QUOTED VERBATIM:
---
"Ever since I've installed a host file (http://www.mvps.org/winhelp2002/hosts.htm) to redirect advertisers to my loopback, I haven't had any malware, spyware, or adware issues. I first started using the host file 5 years ago." - by TestedDoughnut (1324447) on Monday December 13, @12:18AM (#34532122)
"I use a custom /etc/hosts to block ads... my file gets parsed basically instantly ... So basically, for any modern computer, it has zero visible impact. And even if it took, say, a second to parse, that would be more than offset by the MANY seconds saved by not downloading and rendering ads. I have noticed NO ill effects from running a custom /etc/hosts file for the last several years. And as a matter of fact I DO run http servers on my computers and I've never had an /etc/hosts-related problem... it FUCKING WORKS and makes my life better overall." - by sootman (158191) on Monday July 13 2009, @11:47AM (#28677363) Homepage Journal
"I actually went and downloaded a 16k line hosts file and started using that after seeing that post, you know just for trying it out. some sites load up faster." - by gl4ss (559668) on Thursday November 17, @11:20AM (#38086752) Homepage Journal
"Better than an ad blocker, imo. Hosts file entries: http://www.mvps.org/winhelp2002/hosts.htm " - by TempestRo