Ask Slashdot: Who's Going To Win the Malware Arms Race?

An anonymous reader writes: We've been in a malware arms race since the 1990s. Malicious hackers keep building new viruses, worms, and trojan horses, while security vendors keep building better detection and removal algorithms to stop them. Botnets are becoming more powerful, and phishing techniques are always improving — but so are the mitigation strategies. There's been some back and forth, but it seems like the arms race has been pretty balanced, so far. My question: will the balance continue, or is one side likely to take the upper hand over the next decade or two? Which side is going to win? Do you imagine an internet, 20 years from now, where we don't have to worry about what links we click or what attachments we open? Or is it the other way around, with threats so hard to block and DDoS attacks so rampant that the internet of the future is not as useful as it is now?

More of the same

[gsslay]

No-one will "win", and it's not helpful to represent the issue as if it's "winnable" by either side.

Malware, viruses, trojans and other malicious behaviour of yet unheard methods will always be around, and we'll always be inventing new ways of counteracting them. Which will in turn be circumvented, and so it goes on.

Re:More of the same

[fuzzyfuzzyfungus]

I'd be inclined to suggest that it will be worse than that:

Barring some sort of radical change in priorities that causes the market to accept zero new features for, oh, a (human) generation or more, while vendors put out bugfix releases, 'winning' certainly isn't going to happen by doing conventional stuff; but harder.

If 'winning' in fact occurs, odds are excellent that it will be on some wonderfully dystopian lockdown platform that shrinks the problem space considerably by forbidding basically everything that hasn't been cryptopgraphically blessed by the vendor, sandboxed to hell and back, or both. Naturally, the power afforded to the vendor in this scenario will never be abused.

Re:More of the same

[angel'o'sphere]

Actually, it is not impossible to secure a computing system. So in the end I assume the OSs will win.

Re:More of the same

[__aabppq7737]

We will lose if Adobe makes an OS

Re:More of the same

[TheGoodNamesWereGone]

The Bad Guys are winning, because this is a *law enforcement* problem, not just a technical one. Cybercrooks are engaged in the same kind of theft they'd engage in if computers didn't exist. In a world where police can't or won't do their jobs, putting a bigger lock on your door is not a long-term solution. With the IoT (dumbest idea EVAH!) it's only going to get worse. Weep for the future Na'Toth. Weep for us all.

Re:More of the same

[RabidReindeer]

We'll win the malware arms race somewhere about the time we win the wars on drugs, crime, and proverty.

The only time you can "win" an arms race is if the other side becomes exhausted. Such wins are often pyhrric.

That I don't know bit the loser is...

[svif]

you, me, and everybody else. As opposed to conventional warfare cyberwarfare is all but guaranteed to catch civilians in the crossfire.

Re:I'm expecting the current seesaw to continue.

[Paradise+Pete]

As long as there is money to be made by ripping people off over the internet there will be people somewhere in the world willing to spend their time (and money) trying.

No need to type that "over the internet" part.

Nobody. And NSA etc. sabotage makes things worse

[gweihir]

It is bad enough as it is with most software being insecure. Sabotage only makes things a lot worse. And for what? A zero-success track-record against terrorism? Industrial espionage? Having dirt on any possible future and present President, Congress Man, Senator?

No-one's going to win

[wonkey_monkey]

Which side is going to win?

What makes you think it'll ever be over?

Here's a sports analogy, if you need one.

(the radio version was better but I couldn't find it)

Re:No-one's going to win

[pscottdv]

I'm sorry. This is Slashdot so we'll be needing a car analogy.

The future is now.

[duckintheface]

You can already see the shape of that future in Google's Chrome OS. This is a very much "locked down" combination of operating system, browser, cloud applications, and storage. Security updates are automatic and (eventually) involuntary. You are limited to running the software that Google allows you to run, most of which is executed on Google servers. No website Java programs are allowed at all.

Such an architecture provides for maximum security and has the advantage of minimum hardware requirements for ram memory and on-machine storage. It allows for encryption of all communications between your computer and the outside world with mimimum involvement or decison making by the user. And from Google's point of view it represents the perfect vehicle for advertizing in a controlled enviornment. In a sense, your computer has already been hacked (by Google) when you buy it. And they will make sure it stays hacked to their preferences.

The next step will be integration of the computer operating system with the phone operating environment. The two will merge with more software coming from "app stores" and not from the wild. At the same time, the services on the computer will become more integrated with each other so that social media, calendar, voice calls, texting, and social media work togerther and don't work at all with outside software. It becomes a secure walled garden with enough internal features and flexibility to be tolerable to the mass users who are not or can not be responsible for their own security.

Re:The future is now.

That model (locked down like ChromeOS or iOS) is already succeeding in the marketplace over more traditional computing models, because it's what most people want. It's safer for them, and they want their devices to "just work".

It's the inevitable end result. Except for some techies, almost everybody I know just wants to surf the web and send pictures to their friends and have that "just work". They have almost all given up on Windows in favor of mobile OSs for 99% of what they do. They sometimes still "have a PC", but don't use it much out of fear of malware, where they feel free to use the tablet, which has the side benefit of a much simpler interface for them.

Market pressure will drive this.

Re:The future is now.

[fuzzyfuzzyfungus]

And, unfortunately, ChromeOS is the comparatively softcore version of dystopian cryptographic lockdown. A ChromeOS device certainly works most smoothly if you leave it set to factory defaults, and generally play like a good little consumer; but, at least for now, there's a deliberate, documented, we-don't-assure-that-you'll-like-the-results-but-here's-how-to-do-it, switch for turning off the verification, becoming root, booting alternate payloads, and generally mucking around. My memory of the details is a little fuzzy; but I think that you can have your merry way with everything except some 'fallback' BIOS/bootloader that is hardware write-locked at the factory and isn't even modified by Google-provided updates; but instead intended to be just enough bootloader to un-brick basically anything you can do to the system in software. On some models, you can futz with that as well if you poke the right area of the board.

It's definitely a 'crypto lockdown to make security easier, and possibly even possible' device; and Google hardly encourages you to go forth and GNU; but they at least allow you to. That puts ChromeOS devices well above all iDevices, a fair percentage of Android hardware, and potentially above some 'trusted boot' UEFI systems(depending on whether you can re-key the system or not). It's certainly a good example; but it's far less of an anomaly than one would like.

Re:The future is now.

[nukenerd]

Defining hackers as people who take control of your computer (in whatever form) for their own ends, then this scenario of a "secure walled garden" is a win for the hackers, not a win for security. My idea of security is to prevent exactly this crap happening.

Never mind that the hacker is a corporate entity listed on the stock exchange, they are still hackers. Never mind that they will claim that you agreed to this scenario by buying their kit (as if it will be possible to buy anything else, except similar rivals' kit) - that sounds just like an old style hacker claiming you agreed to their adware/botnet/malware by clicking on their email attachment.

I recently bought an Android tablet. I keep getting a full screen advert for some game pushed in my face without even a clear way to dismiss it. It is a game in the Android app store they want me to buy. It severely pisses me off; but it is not (by their definition) malware, it is "official". This takes place within what would be the "secure walled garden". I would rather take my chances in the shark pool - at least I am in control.

Re:The future is now.

[DigiShaman]

Defining hackers as people who take control of your computer (in whatever form) for their own ends, then this scenario of a "secure walled garden" is a win for the hackers, not a win for security. My idea of security is to prevent exactly this crap happening.

I think you and everyone else needs to take a step back, breath, and re-evaluate what the entire point of using a computer is. For software developers, yes, you often need full unrestricted access to your computer. But for the majority of people, the computer is just a set of tools by which to do the job. In the case of Apple and Google, their "secure walled gardens" is embraced as a safe community by those that work and play in it. I mean honestly, most people would rather not be swindled in ID theft than have some opened-ended wild-wild-west platform with bandits nearby.

"Apple is a walled garden, but what a beautiful garden it is!"

Re:The future is now.

[DarkOx]

I think you are correct but I hope you are wrong. The trouble with software not coming from the wild is it means there era of the hobbyist programmer is over. Which I think will in many ways also mean the end of innovation. Right now the app stores are full because there are enough people who already had the skills to create apps. They have those skills because they obtained them in a time where the barrier to entry was low. They had a PC and it was programmable and programmer friendly. So if folks that were interested got a chance to learn, its only a small leap to writing for another device.

If we end up in a world with programmer unfriendly devices and one where most don't have PCs because their tablet or Chromebook is 'good enough' than only the folks with direct exposure to programming via someone they know who does it to become interested. There won't be that PC sitting in their home to just tinker with, a person would have to go out and buy one just to see if its something they want to get into. I am not a fan of the teach everyone to code whether they care to or not movement but IOS and ChromeOS are barriers to entry could easily get in the way of people who do care. Part of the fun at the beginner level is being able to share your stuff with others that is harder to do when you have to get through some app store approval process and you are just starting out.

That said I think malware arms race is 'winable' the concept of least privilege is getting integrated into mostly single user desktop platforms, Windows, technology like ASLR, DEP, stack protection, and canaries, have virtually killed the buffer overflow as anything more than DOS vector in 64-bit software. Now most 'exploits' really depend on some sort of fundamental algorithmic or logic error; that or attacking some legacy 32-bit or 16-bit binary. People do now largely know better to run random executable from people they don't know, etc. Security in the PC world is 'getting there' hopefully that will stem the tide of the 'app store' paradigm.

Re:The future is now.

[mlts]

This.

What we will see are vendors conflating locking the device away from its user with anti-malware protection... two different things, but both are considered "security".

I will also not be surprised to see more remote monitoring, where if a device reports that it was jailbroken or rooted, the cellular network blacklists that device's IMEI.

The future is now. Look at the latest generation of consoles as what we are going to have in our pockets and on our desks. Consoles have no issues with malware and a 0% piracy rate. The main game makers (for the most part) thrive off of the same IP that was out over a decade ago. Any issues result in the console being blacklisted. To boot, you never know if you are being watched. A closed environment like a console can easily have an update pushed to turn the console into a 24/7/365 monitoring device, and there is no way for the user to fix it, outside of physically killing cameras, depowering it or tossing the console in the garbage.

We will also see a tipping point. If a group of people find a bootrom exploit that allows for the next iPhone to be jailbroken, or the exploit allows malware to be put on devices without detection... the malware authors will pay millions for it, while a JB might result in very little. Especially with the time a phone stays jailbroken being days to weeks before Apple pushes an update that closes the hole. In this time, a malware author can make a lot of money with no way to detect or trace his/her works.

Desktops used to be a bastion of freedom, but that is getting encroached as well. The hardware spec for Windows 10 allows CPU vendors to lock down the UEFI Secure Boot to just Windows, and the hardware spec mandates a TPM chip that is shipped on. In fact, any PC certified with Windows 8.1 has the TPM 2.0 chip present.

The only reason why we have not seen a wholesale push to get users completely in the cloud is the fact there is pushback due to the fact that bandwidth in the US is expensive and will remain so.

The sad thing is that we won this battle. In the early 1990s, there was a battle for the device that would be used for consumer browsing. It was the desktop versus the TV set top box. The desktop won because the STB was a monolithic environment and couldn't innovate. Now, we are seeing a rematch, and this time, innovation is stagnant for the desktop and new features, while the set top box has a lot of money behind it, and a lot more technology to lock it down.

A lot of people rather take a console with its ability to report everything you do to anyone upstream and other privacy constaints than a desktop. Trading freedom for security is a dumb thing.

Re:The future is now.

[Marginal+Coward]

The number one complaint I hear from those forced to use Windows is that it takes forever to boot.

As one who uses Windows voluntarily, it's hard for me to relate to this. I typically boot it once a day (after turning it off the previous night), so it's no hardship to spend the couple of minutes it takes to boot on some other part of my morning routine.

My Android phone may be faster to boot than Windows, though I typically leave it on all the time since it doesn't use enough power to bother with turning it off at night. When I do restart it though, the process seems "slow". I think the reason is that I don't have cereal that needs eating or teeth that need brushing at those times.

So where's the hardship in waiting for Windows to boot? It ain't perfect, but boot time would be pretty far down on my own list of Windows complaints.

Re:The future is now.

[g0bshiTe]

It's interesting, as a techie I feel constrained and restricted on tablets and even my smartphone. I prefer the jiggery pokery of tech vs the walled garden approach. Oddly I've not had a virus or malware infection on my computer since the late 90's.

The problem may become winnable if websites cease using infected ad hosts for revenue at the cost of their users sanity and security, let's face in todays internet most infection probably stems from infected advertising.

Re:The future is now.

[swb]

but why should a minority of us suffer due to a majority that aren't capable to make their own choices?

How is that not true of pretty much anything that has risk/danger associated with it which is ameliorated by prudence and caution?

Drugs: Many people are capable of using drugs sanely without risking themselves or other people, but because some minority shows absolutely no control we have massive controls on drugs.

Weapons: Many people are perfectly capable of safely owning even very destructive weapons without hurting themselves or others. But because some minority of people do batshit crazy things with weapons, we have a lot of controls on gun ownership and extreme controls on certain types of guns (automatic weapons, etc).

The list is endless. A minority of people are stupid, lack self control and any kind of prudence so we implement controls which address the lowest common denominator, occasionally allowing some people to jump through hoops to obtain slightly more access to something, but often with another set of draconian controls applied.

Re:The future is now.

[maharvey]

This is the slow boiling of the frog. Convincing people that they "want" a lack of control is the key.

But people DO want a lack of control. I want a lack of control in some cases.

I have no interest in working on my car. In fact, not being able to work on my car is a great excuse to pay someone else to do it. But seriously, I wouldn't know what I was doing anyway. I certainly don't want to have to buy tools and teach myself grease-monkery! Lots of respect to those who can do that sort of thing, and I'm happy to throw money at them, I just have no interest or time for it. I would love a car that was immune to breakdowns, you buy it and it runs for 200,000 miles and never needs oil or anything.

To most people, computers are like their car: they just want it to work. A virus is like an oil change or a flat tire, something annoying that maybe they could fix on their own but they'd rather not have to. They really want the computer sealed and immune to breakdowns, and have zero interest in ever tinkering with it. If you could eliminate viruses and Windows-entropy, they'd be thrilled.

So you don't need to convince them. They need to convince you that is what they really want.

It's not a society of simpletons, it's a society of people who have better things to do.

Now I'm not playing devil's advocate. I'm with you, I want full control. That's because I know what I'm doing, and what I don't know I want to learn. It frustrates me no end to be prevented from tinkering. Hell it frustrates me just to have to use badly written software. But my mom doesn't care. The computer is just an appliance for accessing Facebook. It doesn't need to be user-serviceable any more than the sewer pipe running under your lawn.

Re:The future is now.

[monkeyzoo]

Who's gonna win the war on drugs?
Who's gonna win the war on terror?
Who's gonna win the war on hacking?

The NSA is going to win

Since the NSA seems to be the most heavily capitalized producer of both malware and mitigationware, I think the question of which side is going to win is a bit irrelevant. Yes, they will win.

Re:idiots will lose

[Karmashock]

Right with you on the javascript thing. I use noscript passively everywhere. The internet is just a nicer place when random javascript has to have permission to run at all.

I only run what I have to run.

I do the same thing with cookies. If a site doesn't need cookies then I don't let it store them on my machine. And third party cookies? ha. Basically never. I go through most of the internet like a ghost. They can track my IP I guess but that is a far cry from loading me up with tracking cookies or insane amounts of nested javascripts.

Have you ever seen how they're set up? They put one inside another inside another inside another. They're like those fucking russian dolls only worse. You'll have five or six nested inside of one script and then each of those could have two or three scripts inside of it and so on. It is insane. There needs to be some sort of passive standard that limits scripts to the host domain. I don't understand why you'd run foreign scripts. There's no reason for it. ANd if you REALLY need to, then fine... let people right click something to add an exception but if most people don't do that the web admins will craft less retarded sites... and hopefully the ad people will be less obnoxious.

Re:depends

[Kjella]

You mean like browsers and Javascript? In that case 99% of the population has lost already. The pwn2own competition results are rather miserable. The part that /. probably doesn't want to hear is that the primary effect is centralization and gatekeepers.

Take Usenet for example, it got overrun by spammers and trolls because there was no real way to block them and the few moderated groups basically meant a few people were in control of the discussion. Instead we moved to forums, where you could use CAPTCHAs and various other tricks to block mass sign-ups, moderation, flagging of abusive users and so on. They're not perfect, but they work okay.

Why do so many people use Facebook instead of email? Same thing, much less SPAM. For the longest time, Linux users hailed the repository model over the Windows "download random exe from the Internet" model. Then Apple took it to the extreme with the "one store to rule them all" and suddenly it was a problem. Even on Android you have to pass by huge warning lights to enable third party repositories and Windows Phone has as far as I know joined Apple in the "one store" model.

My guess is that they'll push it to the cloud so all the application code runs on a server and they just need to lock down the browser, more per user&app sandboxes, more difficult time running unsigned software and more users with computers that need Apple's, Microsoft's or Google's sign-off to run an application. The average user simply doesn't understand the micromanagement involved, same way users won't use NoScript when browsing the web. They'll "outsource" it.

Open source will win

[Kardos]

The open source software world will win in the long term through sustained application of the continual improvement process. There are millions of "us" and only thousands of "them". The most vulnerable in five years time will be closed systems.

Re:Open source will win

>There are millions of "us" and only thousands of "them".

The people auditing OpenSSL after the Heartbleed incident would like a word with you...

(By the way, thank you. Next time some /.er says nobody here ever "really" believed in the whole "many eyes makes all bugs shallow" fallacy, I shall point them to your post.)

Two Extremes Will Win

[mentil]

Minor infections will become less common, as the attack surface area is reduced and mitigated over time. New APIs and interfaces will be created, creating N+1 standards, but they'll be more secure than the older ones they supersede. For example, Flash and ActiveX are slowly going away in favor of more secure alternatives. How many critical html5 vulnerabilities are found in your browser of choice compared to critical Flash/Java Web Client vulnerabilities? Open source is a big part of it, but security being baked into the design rather than being tacked-on after thousands of vulnerabilities have been written into legacy code is bigger.

On the downside, when you DO catch an infection, it'll be nasty. New methods for hiding in firmwares will require removing chips and re-flashing them, and unless open firmware takes off in a big way, in practice this will mean replacing hardware very carefully so it doesn't infect the new hardware. It will be virtually undetectable, and have countless methods for defeating airgapping, virtual machines, decompiling, reverse engineering, and antivirus software. So once your machine is owned, it'll really be owned.

The best thing that can be done is to systematically eliminate every motivation to deploy malware: make spam unprofitable, harden SCADA to eliminate sabotage, mature altcoins to not benefit from stolen processing cycles, and regulate online advertising so ad injection is pointless. Also, rework the protocols that allow DDOSing, and require actual two-factor authentication for financial websites/transactions. Eventually, I think malware will be rare/invisible enough that only computer scientists will know about it, ordinary users won't worry about it.

the obvious winner should be apparent.

[nimbius]

Whos going to win the arms race? easy. Maalwarkstrodon. Its a mythical beast that speaks in pornographic subplots and maintains direct communication with your girlfriends every wants and desires so as better to inform you on how to best please her. It has the feet of bonzi buddy, the torso of that man who uses 1 weird trick to perfect his abs, and the arms of the scientists that hate her. Most impressively, Maalwarkstrodon has a skull made from a Viagra, Levitra, Cialis, and Propecia alloy. This beast of malware belches sexy singles from former east-bloc soviet satellite states and is cloaked in the finest fashions from paris and milan, imported directly from Fujian china.

Maalwarkstrodon is incapable of offering any less than the best deals at 80% to 90% off, and will not rest until your 2 million dollar per month work-at-home career comes to fruition and the spoils of all true nigerian royalty are delivered unto those most deserving of a kings riches.

AVP - Anti-Virus Protection or Alien vs Predator?

[Anarchitektur]

A malware arms race is like Alien vs Predator: no matter who wins, we lose. Or so I've been led to believe.

Who will win?

[Cro+Magnon]

Neither. The malware war, like tic-tac-toe and global thermonuclear war, is unwinnable.

Re:This one's for the general population

[gstoddart]

This arms race will go for the users. The reason being that there's too much money in play to allow the opposite.

I'm inclined to think the opposite.

All of the companies who want to sell us products care only about that. They don't give a damn about the security of those products.

Until consumers wise up and insist on security, or corporations carry some liability for failing to do that, then corporations will just push stuff out the door with half assed security.

It can't just be a war on hacker. It has to also be a war on products with utterly crap security which never gets fixed. Because this Internet of Stuff is shaping up to be some of the biggest security holes imaginable.

Most consumer products do terrible stuff like transmitting passwords in the clear. Chasing down hackers who exploit incompetently/lazily written products can never overcome that.