Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ask Slashdot: Who's Going To Win the Malware Arms Race?

Posted by Soulskill on from the not-you-and-not-me dept.

An anonymous reader writes: We've been in a malware arms race since the 1990s. Malicious hackers keep building new viruses, worms, and trojan horses, while security vendors keep building better detection and removal algorithms to stop them. Botnets are becoming more powerful, and phishing techniques are always improving — but so are the mitigation strategies. There's been some back and forth, but it seems like the arms race has been pretty balanced, so far. My question: will the balance continue, or is one side likely to take the upper hand over the next decade or two? Which side is going to win? Do you imagine an internet, 20 years from now, where we don't have to worry about what links we click or what attachments we open? Or is it the other way around, with threats so hard to block and DDoS attacks so rampant that the internet of the future is not as useful as it is now?

11 of 155 comments (clear)

  1. More of the same by gsslay · · Score: 5, Insightful

    No-one will "win", and it's not helpful to represent the issue as if it's "winnable" by either side.

    Malware, viruses, trojans and other malicious behaviour of yet unheard methods will always be around, and we'll always be inventing new ways of counteracting them. Which will in turn be circumvented, and so it goes on.

    1. Re:More of the same by fuzzyfuzzyfungus · · Score: 5, Insightful

      I'd be inclined to suggest that it will be worse than that:

      Barring some sort of radical change in priorities that causes the market to accept zero new features for, oh, a (human) generation or more, while vendors put out bugfix releases, 'winning' certainly isn't going to happen by doing conventional stuff; but harder.

      If 'winning' in fact occurs, odds are excellent that it will be on some wonderfully dystopian lockdown platform that shrinks the problem space considerably by forbidding basically everything that hasn't been cryptopgraphically blessed by the vendor, sandboxed to hell and back, or both. Naturally, the power afforded to the vendor in this scenario will never be abused.

  2. Nobody. And NSA etc. sabotage makes things worse by gweihir · · Score: 5, Insightful

    It is bad enough as it is with most software being insecure. Sabotage only makes things a lot worse. And for what? A zero-success track-record against terrorism? Industrial espionage? Having dirt on any possible future and present President, Congress Man, Senator?

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  3. The future is now. by duckintheface · · Score: 4, Insightful

    You can already see the shape of that future in Google's Chrome OS. This is a very much "locked down" combination of operating system, browser, cloud applications, and storage. Security updates are automatic and (eventually) involuntary. You are limited to running the software that Google allows you to run, most of which is executed on Google servers. No website Java programs are allowed at all.

    Such an architecture provides for maximum security and has the advantage of minimum hardware requirements for ram memory and on-machine storage. It allows for encryption of all communications between your computer and the outside world with mimimum involvement or decison making by the user. And from Google's point of view it represents the perfect vehicle for advertizing in a controlled enviornment. In a sense, your computer has already been hacked (by Google) when you buy it. And they will make sure it stays hacked to their preferences.

    The next step will be integration of the computer operating system with the phone operating environment. The two will merge with more software coming from "app stores" and not from the wild. At the same time, the services on the computer will become more integrated with each other so that social media, calendar, voice calls, texting, and social media work togerther and don't work at all with outside software. It becomes a secure walled garden with enough internal features and flexibility to be tolerable to the mass users who are not or can not be responsible for their own security.

    --
    "He took a duck in the face at 250 knots." -- William Gibson, Pattern Recognition
    1. Re:The future is now. by Anonymous Coward · · Score: 5, Interesting

      That model (locked down like ChromeOS or iOS) is already succeeding in the marketplace over more traditional computing models, because it's what most people want. It's safer for them, and they want their devices to "just work".

      It's the inevitable end result. Except for some techies, almost everybody I know just wants to surf the web and send pictures to their friends and have that "just work". They have almost all given up on Windows in favor of mobile OSs for 99% of what they do. They sometimes still "have a PC", but don't use it much out of fear of malware, where they feel free to use the tablet, which has the side benefit of a much simpler interface for them.

      Market pressure will drive this.

    2. Re:The future is now. by fuzzyfuzzyfungus · · Score: 4, Insightful

      And, unfortunately, ChromeOS is the comparatively softcore version of dystopian cryptographic lockdown. A ChromeOS device certainly works most smoothly if you leave it set to factory defaults, and generally play like a good little consumer; but, at least for now, there's a deliberate, documented, we-don't-assure-that-you'll-like-the-results-but-here's-how-to-do-it, switch for turning off the verification, becoming root, booting alternate payloads, and generally mucking around. My memory of the details is a little fuzzy; but I think that you can have your merry way with everything except some 'fallback' BIOS/bootloader that is hardware write-locked at the factory and isn't even modified by Google-provided updates; but instead intended to be just enough bootloader to un-brick basically anything you can do to the system in software. On some models, you can futz with that as well if you poke the right area of the board.

      It's definitely a 'crypto lockdown to make security easier, and possibly even possible' device; and Google hardly encourages you to go forth and GNU; but they at least allow you to. That puts ChromeOS devices well above all iDevices, a fair percentage of Android hardware, and potentially above some 'trusted boot' UEFI systems(depending on whether you can re-key the system or not). It's certainly a good example; but it's far less of an anomaly than one would like.

    3. Re:The future is now. by nukenerd · · Score: 5, Insightful

      Defining hackers as people who take control of your computer (in whatever form) for their own ends, then this scenario of a "secure walled garden" is a win for the hackers, not a win for security. My idea of security is to prevent exactly this crap happening.

      Never mind that the hacker is a corporate entity listed on the stock exchange, they are still hackers. Never mind that they will claim that you agreed to this scenario by buying their kit (as if it will be possible to buy anything else, except similar rivals' kit) - that sounds just like an old style hacker claiming you agreed to their adware/botnet/malware by clicking on their email attachment.

      I recently bought an Android tablet. I keep getting a full screen advert for some game pushed in my face without even a clear way to dismiss it. It is a game in the Android app store they want me to buy. It severely pisses me off; but it is not (by their definition) malware, it is "official". This takes place within what would be the "secure walled garden". I would rather take my chances in the shark pool - at least I am in control.

    4. Re:The future is now. by g0bshiTe · · Score: 4, Insightful

      It's interesting, as a techie I feel constrained and restricted on tablets and even my smartphone. I prefer the jiggery pokery of tech vs the walled garden approach. Oddly I've not had a virus or malware infection on my computer since the late 90's.

      The problem may become winnable if websites cease using infected ad hosts for revenue at the cost of their users sanity and security, let's face in todays internet most infection probably stems from infected advertising.

      --
      I am Bennett Haselton! I am Bennett Haselton!
  4. Re:idiots will lose by Karmashock · · Score: 4, Interesting

    Right with you on the javascript thing. I use noscript passively everywhere. The internet is just a nicer place when random javascript has to have permission to run at all.

    I only run what I have to run.

    I do the same thing with cookies. If a site doesn't need cookies then I don't let it store them on my machine. And third party cookies? ha. Basically never. I go through most of the internet like a ghost. They can track my IP I guess but that is a far cry from loading me up with tracking cookies or insane amounts of nested javascripts.

    Have you ever seen how they're set up? They put one inside another inside another inside another. They're like those fucking russian dolls only worse. You'll have five or six nested inside of one script and then each of those could have two or three scripts inside of it and so on. It is insane. There needs to be some sort of passive standard that limits scripts to the host domain. I don't understand why you'd run foreign scripts. There's no reason for it. ANd if you REALLY need to, then fine... let people right click something to add an exception but if most people don't do that the web admins will craft less retarded sites... and hopefully the ad people will be less obnoxious.

    --
    I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
  5. Re:depends by Kjella · · Score: 4, Insightful

    You mean like browsers and Javascript? In that case 99% of the population has lost already. The pwn2own competition results are rather miserable. The part that /. probably doesn't want to hear is that the primary effect is centralization and gatekeepers.

    Take Usenet for example, it got overrun by spammers and trolls because there was no real way to block them and the few moderated groups basically meant a few people were in control of the discussion. Instead we moved to forums, where you could use CAPTCHAs and various other tricks to block mass sign-ups, moderation, flagging of abusive users and so on. They're not perfect, but they work okay.

    Why do so many people use Facebook instead of email? Same thing, much less SPAM. For the longest time, Linux users hailed the repository model over the Windows "download random exe from the Internet" model. Then Apple took it to the extreme with the "one store to rule them all" and suddenly it was a problem. Even on Android you have to pass by huge warning lights to enable third party repositories and Windows Phone has as far as I know joined Apple in the "one store" model.

    My guess is that they'll push it to the cloud so all the application code runs on a server and they just need to lock down the browser, more per user&app sandboxes, more difficult time running unsigned software and more users with computers that need Apple's, Microsoft's or Google's sign-off to run an application. The average user simply doesn't understand the micromanagement involved, same way users won't use NoScript when browsing the web. They'll "outsource" it.

    --
    Live today, because you never know what tomorrow brings
  6. Re:No-one's going to win by pscottdv · · Score: 4, Funny

    I'm sorry. This is Slashdot so we'll be needing a car analogy.

    --

    this signature has been removed due to a DMCA takedown notice