Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ask Slashdot: Who's Going To Win the Malware Arms Race?

Posted by Soulskill on from the not-you-and-not-me dept.

An anonymous reader writes: We've been in a malware arms race since the 1990s. Malicious hackers keep building new viruses, worms, and trojan horses, while security vendors keep building better detection and removal algorithms to stop them. Botnets are becoming more powerful, and phishing techniques are always improving — but so are the mitigation strategies. There's been some back and forth, but it seems like the arms race has been pretty balanced, so far. My question: will the balance continue, or is one side likely to take the upper hand over the next decade or two? Which side is going to win? Do you imagine an internet, 20 years from now, where we don't have to worry about what links we click or what attachments we open? Or is it the other way around, with threats so hard to block and DDoS attacks so rampant that the internet of the future is not as useful as it is now?

16 of 155 comments (clear)

  1. More of the same by gsslay · · Score: 5, Insightful

    No-one will "win", and it's not helpful to represent the issue as if it's "winnable" by either side.

    Malware, viruses, trojans and other malicious behaviour of yet unheard methods will always be around, and we'll always be inventing new ways of counteracting them. Which will in turn be circumvented, and so it goes on.

    1. Re:More of the same by fuzzyfuzzyfungus · · Score: 5, Insightful

      I'd be inclined to suggest that it will be worse than that:

      Barring some sort of radical change in priorities that causes the market to accept zero new features for, oh, a (human) generation or more, while vendors put out bugfix releases, 'winning' certainly isn't going to happen by doing conventional stuff; but harder.

      If 'winning' in fact occurs, odds are excellent that it will be on some wonderfully dystopian lockdown platform that shrinks the problem space considerably by forbidding basically everything that hasn't been cryptopgraphically blessed by the vendor, sandboxed to hell and back, or both. Naturally, the power afforded to the vendor in this scenario will never be abused.

    2. Re:More of the same by TheGoodNamesWereGone · · Score: 3, Insightful

      The Bad Guys are winning, because this is a *law enforcement* problem, not just a technical one. Cybercrooks are engaged in the same kind of theft they'd engage in if computers didn't exist. In a world where police can't or won't do their jobs, putting a bigger lock on your door is not a long-term solution. With the IoT (dumbest idea EVAH!) it's only going to get worse. Weep for the future Na'Toth. Weep for us all.

  2. Nobody. And NSA etc. sabotage makes things worse by gweihir · · Score: 5, Insightful

    It is bad enough as it is with most software being insecure. Sabotage only makes things a lot worse. And for what? A zero-success track-record against terrorism? Industrial espionage? Having dirt on any possible future and present President, Congress Man, Senator?

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  3. The future is now. by duckintheface · · Score: 4, Insightful

    You can already see the shape of that future in Google's Chrome OS. This is a very much "locked down" combination of operating system, browser, cloud applications, and storage. Security updates are automatic and (eventually) involuntary. You are limited to running the software that Google allows you to run, most of which is executed on Google servers. No website Java programs are allowed at all.

    Such an architecture provides for maximum security and has the advantage of minimum hardware requirements for ram memory and on-machine storage. It allows for encryption of all communications between your computer and the outside world with mimimum involvement or decison making by the user. And from Google's point of view it represents the perfect vehicle for advertizing in a controlled enviornment. In a sense, your computer has already been hacked (by Google) when you buy it. And they will make sure it stays hacked to their preferences.

    The next step will be integration of the computer operating system with the phone operating environment. The two will merge with more software coming from "app stores" and not from the wild. At the same time, the services on the computer will become more integrated with each other so that social media, calendar, voice calls, texting, and social media work togerther and don't work at all with outside software. It becomes a secure walled garden with enough internal features and flexibility to be tolerable to the mass users who are not or can not be responsible for their own security.

    --
    "He took a duck in the face at 250 knots." -- William Gibson, Pattern Recognition
    1. Re:The future is now. by fuzzyfuzzyfungus · · Score: 4, Insightful

      And, unfortunately, ChromeOS is the comparatively softcore version of dystopian cryptographic lockdown. A ChromeOS device certainly works most smoothly if you leave it set to factory defaults, and generally play like a good little consumer; but, at least for now, there's a deliberate, documented, we-don't-assure-that-you'll-like-the-results-but-here's-how-to-do-it, switch for turning off the verification, becoming root, booting alternate payloads, and generally mucking around. My memory of the details is a little fuzzy; but I think that you can have your merry way with everything except some 'fallback' BIOS/bootloader that is hardware write-locked at the factory and isn't even modified by Google-provided updates; but instead intended to be just enough bootloader to un-brick basically anything you can do to the system in software. On some models, you can futz with that as well if you poke the right area of the board.

      It's definitely a 'crypto lockdown to make security easier, and possibly even possible' device; and Google hardly encourages you to go forth and GNU; but they at least allow you to. That puts ChromeOS devices well above all iDevices, a fair percentage of Android hardware, and potentially above some 'trusted boot' UEFI systems(depending on whether you can re-key the system or not). It's certainly a good example; but it's far less of an anomaly than one would like.

    2. Re:The future is now. by nukenerd · · Score: 5, Insightful

      Defining hackers as people who take control of your computer (in whatever form) for their own ends, then this scenario of a "secure walled garden" is a win for the hackers, not a win for security. My idea of security is to prevent exactly this crap happening.

      Never mind that the hacker is a corporate entity listed on the stock exchange, they are still hackers. Never mind that they will claim that you agreed to this scenario by buying their kit (as if it will be possible to buy anything else, except similar rivals' kit) - that sounds just like an old style hacker claiming you agreed to their adware/botnet/malware by clicking on their email attachment.

      I recently bought an Android tablet. I keep getting a full screen advert for some game pushed in my face without even a clear way to dismiss it. It is a game in the Android app store they want me to buy. It severely pisses me off; but it is not (by their definition) malware, it is "official". This takes place within what would be the "secure walled garden". I would rather take my chances in the shark pool - at least I am in control.

    3. Re:The future is now. by DigiShaman · · Score: 3, Insightful

      Defining hackers as people who take control of your computer (in whatever form) for their own ends, then this scenario of a "secure walled garden" is a win for the hackers, not a win for security. My idea of security is to prevent exactly this crap happening.

      I think you and everyone else needs to take a step back, breath, and re-evaluate what the entire point of using a computer is. For software developers, yes, you often need full unrestricted access to your computer. But for the majority of people, the computer is just a set of tools by which to do the job. In the case of Apple and Google, their "secure walled gardens" is embraced as a safe community by those that work and play in it. I mean honestly, most people would rather not be swindled in ID theft than have some opened-ended wild-wild-west platform with bandits nearby.

      "Apple is a walled garden, but what a beautiful garden it is!"

      --
      Life is not for the lazy.
    4. Re:The future is now. by g0bshiTe · · Score: 4, Insightful

      It's interesting, as a techie I feel constrained and restricted on tablets and even my smartphone. I prefer the jiggery pokery of tech vs the walled garden approach. Oddly I've not had a virus or malware infection on my computer since the late 90's.

      The problem may become winnable if websites cease using infected ad hosts for revenue at the cost of their users sanity and security, let's face in todays internet most infection probably stems from infected advertising.

      --
      I am Bennett Haselton! I am Bennett Haselton!
    5. Re:The future is now. by swb · · Score: 3, Insightful

      but why should a minority of us suffer due to a majority that aren't capable to make their own choices?

      How is that not true of pretty much anything that has risk/danger associated with it which is ameliorated by prudence and caution?

      Drugs: Many people are capable of using drugs sanely without risking themselves or other people, but because some minority shows absolutely no control we have massive controls on drugs.

      Weapons: Many people are perfectly capable of safely owning even very destructive weapons without hurting themselves or others. But because some minority of people do batshit crazy things with weapons, we have a lot of controls on gun ownership and extreme controls on certain types of guns (automatic weapons, etc).

      The list is endless. A minority of people are stupid, lack self control and any kind of prudence so we implement controls which address the lowest common denominator, occasionally allowing some people to jump through hoops to obtain slightly more access to something, but often with another set of draconian controls applied.

    6. Re:The future is now. by maharvey · · Score: 3, Insightful

      This is the slow boiling of the frog. Convincing people that they "want" a lack of control is the key.

      But people DO want a lack of control. I want a lack of control in some cases.

      I have no interest in working on my car. In fact, not being able to work on my car is a great excuse to pay someone else to do it. But seriously, I wouldn't know what I was doing anyway. I certainly don't want to have to buy tools and teach myself grease-monkery! Lots of respect to those who can do that sort of thing, and I'm happy to throw money at them, I just have no interest or time for it. I would love a car that was immune to breakdowns, you buy it and it runs for 200,000 miles and never needs oil or anything.

      To most people, computers are like their car: they just want it to work. A virus is like an oil change or a flat tire, something annoying that maybe they could fix on their own but they'd rather not have to. They really want the computer sealed and immune to breakdowns, and have zero interest in ever tinkering with it. If you could eliminate viruses and Windows-entropy, they'd be thrilled.

      So you don't need to convince them. They need to convince you that is what they really want.

      It's not a society of simpletons, it's a society of people who have better things to do.

      Now I'm not playing devil's advocate. I'm with you, I want full control. That's because I know what I'm doing, and what I don't know I want to learn. It frustrates me no end to be prevented from tinkering. Hell it frustrates me just to have to use badly written software. But my mom doesn't care. The computer is just an appliance for accessing Facebook. It doesn't need to be user-serviceable any more than the sewer pipe running under your lawn.

  4. The NSA is going to win by Anonymous Coward · · Score: 3, Insightful

    Since the NSA seems to be the most heavily capitalized producer of both malware and mitigationware, I think the question of which side is going to win is a bit irrelevant. Yes, they will win.

  5. Re:depends by Kjella · · Score: 4, Insightful

    You mean like browsers and Javascript? In that case 99% of the population has lost already. The pwn2own competition results are rather miserable. The part that /. probably doesn't want to hear is that the primary effect is centralization and gatekeepers.

    Take Usenet for example, it got overrun by spammers and trolls because there was no real way to block them and the few moderated groups basically meant a few people were in control of the discussion. Instead we moved to forums, where you could use CAPTCHAs and various other tricks to block mass sign-ups, moderation, flagging of abusive users and so on. They're not perfect, but they work okay.

    Why do so many people use Facebook instead of email? Same thing, much less SPAM. For the longest time, Linux users hailed the repository model over the Windows "download random exe from the Internet" model. Then Apple took it to the extreme with the "one store to rule them all" and suddenly it was a problem. Even on Android you have to pass by huge warning lights to enable third party repositories and Windows Phone has as far as I know joined Apple in the "one store" model.

    My guess is that they'll push it to the cloud so all the application code runs on a server and they just need to lock down the browser, more per user&app sandboxes, more difficult time running unsigned software and more users with computers that need Apple's, Microsoft's or Google's sign-off to run an application. The average user simply doesn't understand the micromanagement involved, same way users won't use NoScript when browsing the web. They'll "outsource" it.

    --
    Live today, because you never know what tomorrow brings
  6. Open source will win by Kardos · · Score: 3, Insightful

    The open source software world will win in the long term through sustained application of the continual improvement process. There are millions of "us" and only thousands of "them". The most vulnerable in five years time will be closed systems.

    1. Re:Open source will win by Anonymous Coward · · Score: 3, Insightful

      >There are millions of "us" and only thousands of "them".

      The people auditing OpenSSL after the Heartbleed incident would like a word with you...

      (By the way, thank you. Next time some /.er says nobody here ever "really" believed in the whole "many eyes makes all bugs shallow" fallacy, I shall point them to your post.)

  7. Re:This one's for the general population by gstoddart · · Score: 3, Insightful

    This arms race will go for the users. The reason being that there's too much money in play to allow the opposite.

    I'm inclined to think the opposite.

    All of the companies who want to sell us products care only about that. They don't give a damn about the security of those products.

    Until consumers wise up and insist on security, or corporations carry some liability for failing to do that, then corporations will just push stuff out the door with half assed security.

    It can't just be a war on hacker. It has to also be a war on products with utterly crap security which never gets fixed. Because this Internet of Stuff is shaping up to be some of the biggest security holes imaginable.

    Most consumer products do terrible stuff like transmitting passwords in the clear. Chasing down hackers who exploit incompetently/lazily written products can never overcome that.

    --
    Lost at C:>. Found at C.