Slashdot Mirror
Ask Slashdot: Who's Going To Win the Malware Arms Race?
An anonymous reader writes: We've been in a malware arms race since the 1990s. Malicious hackers keep building new viruses, worms, and trojan horses, while security vendors keep building better detection and removal algorithms to stop them. Botnets are becoming more powerful, and phishing techniques are always improving — but so are the mitigation strategies. There's been some back and forth, but it seems like the arms race has been pretty balanced, so far. My question: will the balance continue, or is one side likely to take the upper hand over the next decade or two? Which side is going to win? Do you imagine an internet, 20 years from now, where we don't have to worry about what links we click or what attachments we open? Or is it the other way around, with threats so hard to block and DDoS attacks so rampant that the internet of the future is not as useful as it is now?
No-one will "win", and it's not helpful to represent the issue as if it's "winnable" by either side.
Malware, viruses, trojans and other malicious behaviour of yet unheard methods will always be around, and we'll always be inventing new ways of counteracting them. Which will in turn be circumvented, and so it goes on.
At the moment the NSA & GCHQ, and other agencies are at the behest of politicians that want to see all our communications are working against the security industry. If this continues I see a bleak future. But if we manage to get these organisations to support security I see a much better future.
trojan horses
The Greeks won that particular arms race.
you, me, and everybody else. As opposed to conventional warfare cyberwarfare is all but guaranteed to catch civilians in the crossfire.
This arms race will go for the users. The reason being that there's too much money in play to allow the opposite.
Whatever has to be done will be done. If it becomes such a problem that the USA has to invent a "war on hacker" and start "bombing by IP", it will.
But we're talking a long, long time from now. Like many, many... weeks.
No need to type that "over the internet" part.
It is bad enough as it is with most software being insecure. Sabotage only makes things a lot worse. And for what? A zero-success track-record against terrorism? Industrial espionage? Having dirt on any possible future and present President, Congress Man, Senator?
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
As long as consuming content over the internet does not require downloading and running code, it will stay relatively safe.
Which side is going to win?
What makes you think it'll ever be over?
Here's a sports analogy, if you need one.
(the radio version was better but I couldn't find it)
systemd is Roko's Basilisk.
that's all we can be certain of really.
The good news is that the public are becoming more educated on the subject. I've noticed it over the years. They're getting more mindful about not sticking their dicks in electrical sockets... even if the buzzing sensation is momentarily enjoyable.
I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
You can already see the shape of that future in Google's Chrome OS. This is a very much "locked down" combination of operating system, browser, cloud applications, and storage. Security updates are automatic and (eventually) involuntary. You are limited to running the software that Google allows you to run, most of which is executed on Google servers. No website Java programs are allowed at all.
Such an architecture provides for maximum security and has the advantage of minimum hardware requirements for ram memory and on-machine storage. It allows for encryption of all communications between your computer and the outside world with mimimum involvement or decison making by the user. And from Google's point of view it represents the perfect vehicle for advertizing in a controlled enviornment. In a sense, your computer has already been hacked (by Google) when you buy it. And they will make sure it stays hacked to their preferences.
The next step will be integration of the computer operating system with the phone operating environment. The two will merge with more software coming from "app stores" and not from the wild. At the same time, the services on the computer will become more integrated with each other so that social media, calendar, voice calls, texting, and social media work togerther and don't work at all with outside software. It becomes a secure walled garden with enough internal features and flexibility to be tolerable to the mass users who are not or can not be responsible for their own security.
"He took a duck in the face at 250 knots." -- William Gibson, Pattern Recognition
Once the internet became a thing regulated by government as opposed to technologists, it was lost. The intangible reality of it was lost, and now you can steal things off of the internet...even though we the owners and thieves know this is a false economy, at the end of the tunnel there is real money. So now the wrong people have taken interest and subsequently control. A new unregulated internet has to be created which is something more than a layer of encryption laid over the original. We've fucked this one up completely and all of the wrong people control something they will never understand but simply want things from. Now that that we know idiots will take over the internet, can't we start think about an even better system?
It's the same as with two teams of lawyers battling it out for two parties: in the end only the lawyers really win.
These hackers on both sides basically just cause employment for each other, and therefore both sides win, and all those not involved are the biggest losers.
Two things:
- the US has accelerated the development of malware and lifted it to a new level.
- the US has lots of advanced technology that's vulnerable to malware.
So if there's a cyberwar between backward North Korea and the US , who you'll think will lose?
Since the NSA seems to be the most heavily capitalized producer of both malware and mitigationware, I think the question of which side is going to win is a bit irrelevant. Yes, they will win.
The future is on whitelisting, which assumes the removal of anoynymity for websites and advertisers, and certificates for executables. Freedom fighters will whine and moan, but that's what will happen.
The open source software world will win in the long term through sustained application of the continual improvement process. There are millions of "us" and only thousands of "them". The most vulnerable in five years time will be closed systems.
The internet will be harder and harder to use, it will be a more dangerous place every year, and the skills you'll need to use it without being robbed or blackmailed will increase. I suspect there will be parallel internets, usable by tech savvy people only, as a layer on top of the net as we know it, similar to the dark nets we see now. 20 years from now, most of us here will be able to use the net in a more or less safe way, whereas a majority of people will not.
no, I don't have a sig
Minor infections will become less common, as the attack surface area is reduced and mitigated over time. New APIs and interfaces will be created, creating N+1 standards, but they'll be more secure than the older ones they supersede. For example, Flash and ActiveX are slowly going away in favor of more secure alternatives. How many critical html5 vulnerabilities are found in your browser of choice compared to critical Flash/Java Web Client vulnerabilities? Open source is a big part of it, but security being baked into the design rather than being tacked-on after thousands of vulnerabilities have been written into legacy code is bigger.
On the downside, when you DO catch an infection, it'll be nasty. New methods for hiding in firmwares will require removing chips and re-flashing them, and unless open firmware takes off in a big way, in practice this will mean replacing hardware very carefully so it doesn't infect the new hardware. It will be virtually undetectable, and have countless methods for defeating airgapping, virtual machines, decompiling, reverse engineering, and antivirus software. So once your machine is owned, it'll really be owned.
The best thing that can be done is to systematically eliminate every motivation to deploy malware: make spam unprofitable, harden SCADA to eliminate sabotage, mature altcoins to not benefit from stolen processing cycles, and regulate online advertising so ad injection is pointless. Also, rework the protocols that allow DDOSing, and require actual two-factor authentication for financial websites/transactions. Eventually, I think malware will be rare/invisible enough that only computer scientists will know about it, ordinary users won't worry about it.
Corruption is convincing someone that the selfless ideal is the same as their selfish ideal.
Whos going to win the arms race? easy. Maalwarkstrodon. Its a mythical beast that speaks in pornographic subplots and maintains direct communication with your girlfriends every wants and desires so as better to inform you on how to best please her. It has the feet of bonzi buddy, the torso of that man who uses 1 weird trick to perfect his abs, and the arms of the scientists that hate her. Most impressively, Maalwarkstrodon has a skull made from a Viagra, Levitra, Cialis, and Propecia alloy. This beast of malware belches sexy singles from former east-bloc soviet satellite states and is cloaked in the finest fashions from paris and milan, imported directly from Fujian china.
Maalwarkstrodon is incapable of offering any less than the best deals at 80% to 90% off, and will not rest until your 2 million dollar per month work-at-home career comes to fruition and the spoils of all true nigerian royalty are delivered unto those most deserving of a kings riches.
Good people go to bed earlier.
It's ironic that I'm seeing an ad for malware (myturbopc.com) at the top of this /. page
"We've been in a malware arms race since the 1990s. Malicious hackers keep building new viruses, worms, and trojan horses, while security vendors keep building better detection and removal algorithms to stop them."
This document from 2005 sets out why relying on detecting malware doesn't work. 'The Six Dumbest Ideas in Computer Security'
"Do you imagine an internet, 20 years from now, where we don't have to worry about what links we click or what attachments we open? Or is it the other way around, with threats so hard to block and DDoS attacks so rampant that the internet of the future is not as useful as it is now?"
I don't have to imagine, I'm doing so right now on this Ubuntu desktop, and DDoS attacks are only viable because of all those compromised Windows computer desktops out there on the Internet. Meanwhile for those still afflicted, how about getting the security vendors to design a 'computer' that don't run malware by clicking on a URL or opening an email attachment?
My answer is: C none of the above.
There are third parties who are going to come out winners here.
- nation-states that use/abuse the hackers (think China, the NSA, and such who subvert botnets, who already know who-is-who. Companies who want to hurt the competition in illegal ways and not get caught can sponsor hacks of competitor flagships.)
- hardware/software vendors who provide (mediocre) protection against unforseen threats. (The same fear-based motivation for the ignorant masses is used by politicians around the world to retain power)
Like nuclear war where nobody wins, in the end this is going to cost a truckload of money with no equal value for the churn - in the whole the community of humans will be worse off for it. In the short run there is blood. Humans like blood, sadly.
I see a "new" network, proprietary and locked down, for "real world" applications. All the "important" data will be on it only; banks, Wall Street, governments, etc will use this from now on. They will publish some type of virtual machine for "regular people" to use to do banking and whatever; or even two physical machines in one. Eventually the current "internet" will become less and less of a target as it looses it's financial impact and becomes completely social and informational only. FTTH could do this with multiple wavelength frequencies on the same line. The current system is too open, too unsecured to ever "fix" it.
The issue is, under what circumstances is it worthwhile to spend time writing a virus/trojan/whatever.
Clearly financial gain is THE prime motivator, although notoriety is a close second - mostly because it leads to money.
The war, though, is certainly winnable. The idea of certified manifests is getting close to the solution - there is certainly more work and thought to be applied to that though.
End user expectation management is in order too. The days of downloading software are coming to a close. I really don't see the need for most devices to have this functionality. Downloading from a known trusted source is one thing. Downloading from user configurable sources is mostly stupid - since the vast majority of users are simply too stupid to make good decisions.
A malware arms race is like Alien vs Predator: no matter who wins, we lose. Or so I've been led to believe.
There are only a finite number of threat vectors and technically each year the number of vectors should be reducing. If this is not the case, then two possible factors, or combination thereof, are playing a role:
1. Sabotage - government, or privately funded
2. Failure to integrate lessons learned into the software and hardware development cycles
True security starts from the hardware which imposes restrictions on the software to mitigate every threat it can. Next is the OS, which should impose restrictions on applications. If these two aspects are done correctly, no further security is required beyond proper configuration or API usage.
Our biggest challenges with security are asshole governments who want to undermine security so they can spy on us, and incompetent companies who sell us insecure products because they just want to push some bauble out the door.
As long as we have these two problems, the malware folks will always win, because we will not have the tools required to keep them out.
If spying governments and inept corporations are the weak links, we're pretty much screwed.
So the next time some asshole in a spy agency says we shouldn't have encryption so they can spy on us, that person should be told in no uncertain terms to piss up a rope.
Lost at C:>. Found at C.
Neither. The malware war, like tic-tac-toe and global thermonuclear war, is unwinnable.
Slow down, cowboy! It has been 4 hours since you last posted. You must wait another few hours.
First they came after the Senators, but I did nothing because I was not a Senator ...
Don't fight for your country, if your country does not fight for you.
Agent Smith.
Tat Tvam Asi
When the first bots started I wish the internet providers had taken steps to completely block the internet access to the clueless owners of owned Windows systems. Show them a captive page with a short explanation why, and a download of an antivirus. No internet access until then. But this should have been done over 15 years ago.
Non-Linux Penguins ?
The war will continue, and the majority of people who don't have the time/inclination/skills to learn all the tricks of the trade will continue to be caught in the middle. SWATting, DOXing, etc. all prove that.
As long as there are governments willing to do whatever it takes to control their citizens, the war will continue. The DDoS of GitHub proves that.
As long as there is money to be made, hackers will still go after your information (SSN's, bank accounts, etc.) In the end, you just need to get used to the war, and try and survive the crossfire.
-merlyn
Virus and antivirus suppliers have a symbiotic business relationship, each requires the other to continually make slow progress, rendering their old product useless, so they can sell their new product. If either side 'won', then they would cease being able to sell upgrades, their business model requires then not to win.
A pizza of radius z and thickness a has a volume of pi z z a
either you bought an already compromised tablet or you installed something suspect from the appstore.
and you can find out the offending app with free programs available from the appstore too, if you really can't remember what shit game you installed that it came with. if you don't have anything showing up on the application manager that you would guess to be the culprit, then your tablet came with the malware to begin with.
you know what's funny? slashdot runs apps on the mobile side that occasionally just forward you to another page that tries to get you to install a malware .apk.
if you want a system into which you can't install any apk if you so wish after setting the setting to do so, then too bad, buy an iphone or a microsoft phone.
anyways, you could report it to google. at least report what they're advertising. it is against the rules to do such popups you know.
(and if you can't take care of it wtf you're doing on slashdot anyways, if you can't uninstall 2015's purple monkey from your machine)
world was created 5 seconds before this post as it is.
And the irony is the spammers did such a good job of forcing people off usenet that there were so few people left the spammers gave up bothering and moved on to more lucrative enviroments to screw up. The upshot is that usenet is actually quite usable now, though NNTP servers are slowly disappearing sadly.
"where we don't have to worry about what links we click or what attachments we open?" To open a attachment that don't belongs directly to you, from someone you don't know, a site that you dont use or from a subject that don't have with the sender its a utterly stupid action. Also, hate autopreview emails.
-no sig today-
Computers roughly double in power every two years.
That means every two years, malware can be twice as destructive.
Security constantly improves, but it doesn't improve as fast.
Measured as a percentage, the amount of damage being done will go down.
Measured as an absolute, the amount of damage will go up.
The people most likely to release a rogue AI will be malware people since they have no reason to hold back. At some point the AI will self evolve and then we get skynet. Only Commander adama will have old enough tech to escape our cyber overlord's long reach.
Some drink at the fountain of knowledge. Others just gargle.
I had the same idea, with one thing added: if any OS wins, it won't come from Microsoft.
Good, inexpensive web hosting
It is going to get to the point where the only viable solution is a trusted sandbox. It will be something along the lines of a TPM chip to make sure that the OS image / boot loader has not been compromised, combined with a white listed set of applications and trusted content sources.
People are either going to give up computing freedom for security, or they are going to become desensitized to and accepting of the fact that their "private / personal data" is neither.
People, i.e. Joe Public, don't understand what a massive gift technology is to either enslave or free them. In the cyber era technical folk will be both revered and feared because people don't invest in the critical thinking skills required to be responsible netizens, frankly browse here at -1 and see how many pointless annoying trolls there are. Perhaps people should have to be qualified and prove they are responsible enough to use the net.
The Information Technology arms race should have always been a stalemate, however I think the spooks will inadvertanly bump things into the blackhats favor. Why, because it is already clear to see that the spooks have a disdain for the people who, indirectly, pay our salaries. Worse Snowden showed them that people here can cause damage to them.
Ethics, of course, very narrowly rest with the whitehats, who constantly try to educate users, who don't give a shit, why and how they should protect themselves. Of couse couple that with net users ridiculous apathy and it makes it easier for the lawmakers to pass laws to the detriment of those very same users. Maybe the blackhats and spooks are right to treat them like morons and fodder whose only use is as fall guy and launch point onto a harder target.
Right now users are complaining that crypotolocker encrypted their files, so encryption must be bad because they lost all their baby photos - yet they won't back anything up. Tomorrow they will be complaining how thier retirement fund was emptied and their house was sold from underneath them and that if 'only someone had told them' while they try to shift the blame for their moronic behavior elsewhere. I do feel up bad about it but I find it difficult to feel sympathy anymore for people who can't take responsibility for their own *lack* of action.
I'm sorry about being so cynical but I, like many slashdotters, was here before the web when you could talk to lots of really smart people. Now it seems like the morons have taken over and the collective IQ of the net takes a hit every time. As a former whitehat, setting up security for banks you have heard of, I hate to say it but I think the spooks have tipped the balance in favor of the blackhats and it is now a matter of how badly and how much Joe Public looses.
In the coming years really bad fraud will happen to people, which is when they will realize how truely Pwned they have always been.
My ism, it's full of beliefs.
For example, see here... Even a President can do something right once in a while: http://www.newser.com/story/20... and we need that, because: http://www.techweekeurope.co.u...
once malware takes to the skies in drones things will get really dangerous, imagine all machines sharing mesh networks and the internet of things being infected with malware that takes over drones and trains and buses etc. Antivirus companies will end up being funded by the DOD I suppose (if they aren't already).