The boot path. You want a TPM-like chip that can take you from power on to login screen with a chain of custody ensuring that nothing can be tampered with without being detected. With encryption that mounts the data volumes only after the system volumes and the kernel are vetted, tampering can only deny access, nothing else.
You mean like that new android phone that reloads a clean operating system if/boot doesn't match the signature (ie, if you root and flash it)?
You think the United States government doesn't do this on CIA and DOD computers?
Um, are you sure you want an answer to that? Some fruitbasket over in the UK managed to "hack" (read "log into with blank or 'simple' passwords") some machines in the pentagon, using "sophisticated hacker tools" (read "stock MS RDP client")...
(Probably linux, because there is no way people could switch to OSX without buying apple hardware...so it would be a less popular choice.)
Uhm.. OS X runs on x86, now... Google "hackintosh" for more info, including detailed implementation instructions.
Hey, watch them mod points! I didn't say it was legit!
And, for those who don't want to sort through the links, here's one that seems to do the trick, with no additional hardware required other than a spare thumbdrive. I didn't read through it in its entirety, but it certainly looks good - actually made me consider seeing if my brother-in-law (a mac-head) has some spare installation media... who knows? I might find a new OS I like (and $100 for a legit license good for up to 5 systems in the same household sounds a lot better than MSFT's $140 for a single PC license).
...they definitely come up pretty high on the "tortured acronym" list...
Try removing "Drive-By" from the name... BLock All Download Exploits I'm wondering if the "drive-by" portion is added by the journalists to play at their readers' level, or if it was an assumption of the potential customers' reading comprehension level by some dweeb in marketing.
That's like saying we shouldn't remove deadly exploding cars from the roads...
There are still Ford Pintos being driven on the road today. I saw one last week, driven by what appeared to possibly be the original owner. Beautiful condition (the car, not the owner).
As a fan of NoScript (the only plugin that *really* keeps me with firefox), I can tell you this: it's too hard to use for normal users.
Yeah, because Joe User can't be bothered to learn the following sequence:
1: Notice that an element of the page isn't "working as intended". 2: Click the little "S" icon in the bottom-right-hand corner of the browser. 3: (this is the one causing the most issues with NoScript usage, IMHO) select only the bare minimum of sites to allow scripting from (typically the one in the address bar, duh) 4: Profit! (view your youtube videos without most of the additional crap/ads/whatever)
Unfortunately, my experience is that the typical response to "my youtube is broken!" is to either "allow all this page" or close FF and use IE...
Unless the malware program actually deletes Spybot as well as AVG and also changes your DNS so it redirects to a phony chinese search site instead of Safer Networking's site. This happened to me not long ago.
For me, SpybotSD has been more of a preventive measure than a fix-it tool. Same for AVG, actually. You're supposed to install them *before* you get infected.
How about instead of having some program trying to figure out who's installing a program, how about no program can install another program? Download only, and it sits harmlessly until the user specifically goes, finds it, and runs it. In fact, have at the OS level, a captcha that needs to be filled in before a program installs. How's that? Think that'll stop anything? Probably work better than BLADE any way.
If I understand you correctly, you're talking about removing the ability to shell out another executable from within an executable. After all, what, exactly, is the difference between an installation app and a regular app? They both have the ability to modify the Windows registry, output arbitrary data to arbitrary locations, etc - how do you think MS Paint saves that picture file your 3-year-old made by facerolling the keyboard and beating the family dog with the mouse?
"Fine," you state, "just disable the ability for an executable to start another executable, then."
Unfortunately, killing the methods of shelling out to an app would destroy most operating systems' functionality - after all, the kernel is an executable that runs other executables (such as the graphical shell you think is your OS), directly or indirectly.
"Sure," you say, "we can just make it so the kernel can do it, but nothing else."
Ok, now what do you do when *you* want to launch an executable, say by clicking a representation of its logical address located in that previously-mentioned graphical shell (ie, your desktop)?
"Well, we can just let the kernel and the rest of the OS do its thing, then," you respond.
Where do you draw the line? Photoshop executes a dozen processes when it starts up. Hitting a flash-enabled website in your browser can launch dozens of processes. Javascript is "executable code". A slightly looser definition of "executable code" could include HTML.
In short, this is not the correct direction to be looking for an answer in; your post getting a "+5, Insightful" amazes and bewilders me.
Also, I find it interesting that Chrome isn't listed in their statistics (after I hit the link with a snapshotted VM's browser) - despite that I have seen systems with apparent drive-by infections with no IE link on the desktop, quicklaunch, or start menu, no firefox installed, and a shortcut to chrome on the desktop labelled "Internet". Maybe the user was lying as to the source of infection.
Clicked the link to "interesting display of the infection rate of different browsers", and got
Hi. Javascript is turned off in your web browser. Good for you! Ironically, to view our analysis results you do need to enable Javascript. We promise not to bite.
Aside from the question of why I would need to enable Javascript to view their results, I found it highly amusing... and disturbing. Kinda gave me the feeling of "We're not doing anything evil, we promise! Oh, and we need you to let us inside your system's security before we'll give you any information".
Not exactly inspiring any confidence, here.
For instance, why isn't your page dynamically generated server-side, if you're trying to promote safe browsing practices? Oh, right, because you're not; you want me to buy your software...
I think I'll stick with NoScript and AdBlockPlus, thanks - they don't cost anything.
Ah, I see where you might have taken exception to my post, now. You're probably referring to the part where I stated "...but the land is entirely American-owned."
I gotcha, yeah... except, if it's illegal for a foreigner to own land in the U.S. then if there were a property dispute over those particular holdings, the government can step in and say "Oh, hey, you're not allowed to own that, regardless of any transaction you may think you made. That's property of the U.S. government now, and if you have an issue with it, feel free to sue the person or entity that 'sold' it to you for fraud."
Wait, let me see if I have this right... You're calling me an idiot for stating a fact? Seriously? And "supporting" your assertion with a search for foreign owned land?
Saying "foreign ownership of U.S. soil is illegal" doesn't mean people haven't sold it to foreigners, just like saying "ownership of this plant is illegal" doesn't magically remove it from the ground it is currently growing in, nor magically keep its seeds from sprouting in the next growing season.
How, exactly, does this make *me* the idiot in this discussion?
"Drive by download" is just a made up excuse by people who don't want to admit to what they were doing when they installed some malware yet again.
Yeah, like the user moving their mouse out of the way to read the text of an article, and coincidentally mousing over an ad purchased by a malware distributer that *looks* legit, and is on a legit site, but is actually just a method to throw their nasty bot into the download stream.
And before you protest that you've never seen that happen, I would like to inform you that I have - with my own eyes. Anecdotal evidence aside, this is factual to me.
More and more frequently, I'm seeing people saying that Windows is the primary security risk on the internet. Perhaps we should look into that.
And Heinlein is still a good read, especially Starship Troopers and Stranger in a Strange Land.
... and in case it's necessary to point it out for those who think otherwise, Starship Troopers the movie has very little to do with Starship Troopers the book.
"Remote execution/privilege-escalation exploit" is the category of issue you're thinking of, not security exploits in general.
You are absolutely correct, thank you for the correction and information.
Several of the AC posts were ignored, due both to a general distaste for someone unwilling to provide me with even a pseudonym to respond to, and the idea that religious fervor has no place in a serious discussion of the merits of an OS; but you caught right on to what I meant, even if I didn't express myself properly - I bet your users are quite happy.
The best advice is move sshd off of port 22, establish and configure your IDS and response, move sshd back to port 22.
I disagree. The best advice (in my opinion) would be to configure your box behind a firewall, and only move it out into the "world" once it is patched and secured.
As far as securing ssh, what's wrong with port knocking? I've heard some security professionals claim that port knocking is security through obscurity, sure, but... with > 65,000 ports to choose from, picking the correct ports to "knock" on, with the right tcp flags in the packets, with no mistakes between them, and then logging in on the correct ssh port within the time limit before the port automatically closes again...
... kinda like walking around a house, hoping to knock on the correct number of bricks, in specific locations all around the house, then getting to where the door is in time to insert your key... without knowing where the door is ahead of time, either.
In other words, good luck. The only open port on my entire network is 80, because the only public service I'm running is a web server.
I don't even bother logging the attempts to brute-force my ssh, because 22 isn't open.
In short, having sshd open to the world, on the standard port, is probably an indication that a system can be broken into more easily than one which does not appear to be running sshd on the standard port.
A machine not running SSHD is more likely to be a Windows box which is more easily broken into.
You failed to read the linked article, where it explains all of the things you just wasted time and bandwidth bitching about. Congratulations.
To recap: Vista and 7 *combined* have less than a third of the market share of machines professing to be "Windows". An actual figure bandied about was 66%. Another was barely over 60%. If you spent less time jumping to conclusions with your MSFT fanboyism, you would realize that in the past 3 years, despite 2 new OS releases from MSFT, their previous Os is still dominating their market.
As far as whether you can combine Vista and 7 into one lump of crud... can you name one feature in 7 that isn't in Vista's pre-release "announced features"? Without googling? Yeah, didn't think so. Most (non-techie) people can't tell the difference between the two without pressing window-break (a keyboard shortcut to "Control Panel, System" or "Right-click My Computer, choose Properties".
By many accounts, 7 is just what Vista should have been when it was released, and they still haven't hit the whole set of announced features for Vista, even with 7 Ultimate. Kinda dropped the ball, there, fellas.
Adding in the ridiculous learning curve, and the lack of backwards compatibility (not counting the virtual appliance that is "XP Mode" and can be accomodated via virtualbox just as well), and I decided to stop paying the MSFT tax and learn Ubuntu, instead... and I'm an MCP.
I have AdBlock running. It doesn't get rid of all the other shit like "we suggest you like this commercial entity's page". It's a fucking ad plain and simple.
Not sure which ads specifically you're referring to, unfortunately, but there are addons to deal with textual ads, as well.
Not sure exactly what you're bitching about, to be honest, since the problem as I understood it was mainly the flash-based ads that shout at you or have other annoying sounds to "attract your attention".
Shooting them in the head would be even cheaper, and would create only a slightly lower probability of them being revived.
Why waste bullets? Do them like we do cattle in the beef industry, and just use a nail gun that doesn't let go of the nail. What, it's not sterile? So what? It's being used to KILL YOU.
I have the same argument against using sterile medical equipment when administering the death penalty. I'm willing to bet that dragging someone kicking and screaming into a room with windows and video cameras, strapping them to a gore-stained chair, then holding a nail gun against their forehead and pulling the trigger would be a helluva lot more effective deterrent then the current method.
And before you argue against me, consider this: It is just as humane, the actual death is just as fast as current methods, if not faster. It's less wasteful of resources, both materials used and energy used are less. If publicized, capital crime rates would drop among any of those who could be considered sane.
Compare the following statement: "If I perform this act, I will be put in a cage, cared for for many years, and then quietly euthanized." with this one: "If I perform this act, I will be dragged into a room and have my head cracked open by a high-velocity hunk of metal as soon as the trial is over."
Yes, this seems to be quite a grisly and gruesome fate. If we believe that it is right and proper to remove someone's life, why hesitate? Why be nice to them? Why go to the extra time, trouble, and expense of feeding them 3 times a day, caring for their medical problems, etc, for years, even decades? The only thing better to do with someone who committed a capital crime, in my opinion, would be to use them for medical experiments. At least then they'd be good for *something*.
"Ok, the jury found you guilty of premeditated murder. Come with me, we need to shave your head so we can get a good view of the nail coming out the back..."
This leads into a huge off-topic rant (like this whole thread hasn't been off-topic, right?) about how we shouldn't be locking up people who haven't harmed other people, victimless crimes aren't crimes, etc... or it can wander off into a discussion of exactly how bad for society someone needs to be before we decide they're not able to be rehabilitated, and just chop off their heads or splat them open or whatever.
Locking someone up has been proven to not only *not* be a deterrent, but to produce hardened criminals from those who otherwise would never have done anything worse than consume substances some people choose to consider "evil" (drugs), or pay for something that is perfectly legal to give away for free (sex).
Man, I oughta write an essay, or something; I appear to have quite an opinion on this topic.
Slashdot Mirror
The boot path. You want a TPM-like chip that can take you from power on to login screen with a chain of custody ensuring that nothing can be tampered with without being detected. With encryption that mounts the data volumes only after the system volumes and the kernel are vetted, tampering can only deny access, nothing else.
You mean like that new android phone that reloads a clean operating system if /boot doesn't match the signature (ie, if you root and flash it)?
You think the United States government doesn't do this on CIA and DOD computers?
Um, are you sure you want an answer to that?
Some fruitbasket over in the UK managed to "hack" (read "log into with blank or 'simple' passwords") some machines in the pentagon, using "sophisticated hacker tools" (read "stock MS RDP client")...
If I was a government I wouldn't trust any piece of software from the outside... ...Binary blobs from other countries would be totally banned.
These are the same folks who banned Chinese-made telecommunications equipment, no?
Would that mean they'd need to call for 'take out' instead of 'tech support'?
No, sorry, tech support is in the call center on the next block. Thank you for calling, my name is Steve, I am in Detroit.
(Probably linux, because there is no way people could switch to OSX without buying apple hardware...so it would be a less popular choice.)
Uhm.. OS X runs on x86, now...
Google "hackintosh" for more info, including detailed implementation instructions.
Hey, watch them mod points! I didn't say it was legit!
And, for those who don't want to sort through the links, here's one that seems to do the trick, with no additional hardware required other than a spare thumbdrive. I didn't read through it in its entirety, but it certainly looks good - actually made me consider seeing if my brother-in-law (a mac-head) has some spare installation media... who knows? I might find a new OS I like (and $100 for a legit license good for up to 5 systems in the same household sounds a lot better than MSFT's $140 for a single PC license).
...they definitely come up pretty high on the "tortured acronym" list...
Try removing "Drive-By" from the name...
BLock All Download Exploits
I'm wondering if the "drive-by" portion is added by the journalists to play at their readers' level, or if it was an assumption of the potential customers' reading comprehension level by some dweeb in marketing.
That's like saying we shouldn't remove deadly exploding cars from the roads...
There are still Ford Pintos being driven on the road today.
I saw one last week, driven by what appeared to possibly be the original owner. Beautiful condition (the car, not the owner).
As a fan of NoScript (the only plugin that *really* keeps me with firefox), I can tell you this: it's too hard to use for normal users.
Yeah, because Joe User can't be bothered to learn the following sequence:
1: Notice that an element of the page isn't "working as intended".
2: Click the little "S" icon in the bottom-right-hand corner of the browser.
3: (this is the one causing the most issues with NoScript usage, IMHO) select only the bare minimum of sites to allow scripting from (typically the one in the address bar, duh)
4: Profit! (view your youtube videos without most of the additional crap/ads/whatever)
Unfortunately, my experience is that the typical response to "my youtube is broken!" is to either "allow all this page" or close FF and use IE...
Unless the malware program actually deletes Spybot as well as AVG and also changes your DNS so it redirects to a phony chinese search site instead of Safer Networking's site. This happened to me not long ago.
For me, SpybotSD has been more of a preventive measure than a fix-it tool. Same for AVG, actually. You're supposed to install them *before* you get infected.
How about instead of having some program trying to figure out who's installing a program, how about no program can install another program? Download only, and it sits harmlessly until the user specifically goes, finds it, and runs it. In fact, have at the OS level, a captcha that needs to be filled in before a program installs. How's that? Think that'll stop anything? Probably work better than BLADE any way.
If I understand you correctly, you're talking about removing the ability to shell out another executable from within an executable. After all, what, exactly, is the difference between an installation app and a regular app?
They both have the ability to modify the Windows registry, output arbitrary data to arbitrary locations, etc - how do you think MS Paint saves that picture file your 3-year-old made by facerolling the keyboard and beating the family dog with the mouse?
"Fine," you state, "just disable the ability for an executable to start another executable, then."
Unfortunately, killing the methods of shelling out to an app would destroy most operating systems' functionality - after all, the kernel is an executable that runs other executables (such as the graphical shell you think is your OS), directly or indirectly.
"Sure," you say, "we can just make it so the kernel can do it, but nothing else."
Ok, now what do you do when *you* want to launch an executable, say by clicking a representation of its logical address located in that previously-mentioned graphical shell (ie, your desktop)?
"Well, we can just let the kernel and the rest of the OS do its thing, then," you respond.
Where do you draw the line?
Photoshop executes a dozen processes when it starts up.
Hitting a flash-enabled website in your browser can launch dozens of processes.
Javascript is "executable code".
A slightly looser definition of "executable code" could include HTML.
In short, this is not the correct direction to be looking for an answer in; your post getting a "+5, Insightful" amazes and bewilders me.
Also, I find it interesting that Chrome isn't listed in their statistics (after I hit the link with a snapshotted VM's browser) - despite that I have seen systems with apparent drive-by infections with no IE link on the desktop, quicklaunch, or start menu, no firefox installed, and a shortcut to chrome on the desktop labelled "Internet". Maybe the user was lying as to the source of infection.
Clicked the link to "interesting display of the infection rate of different browsers", and got
Hi. Javascript is turned off in your web browser. Good for you!
Ironically, to view our analysis results you do need to enable Javascript.
We promise not to bite.
Aside from the question of why I would need to enable Javascript to view their results, I found it highly amusing... and disturbing.
Kinda gave me the feeling of
"We're not doing anything evil, we promise! Oh, and we need you to let us inside your system's security before we'll give you any information".
Not exactly inspiring any confidence, here.
For instance, why isn't your page dynamically generated server-side, if you're trying to promote safe browsing practices? Oh, right, because you're not; you want me to buy your software...
I think I'll stick with NoScript and AdBlockPlus, thanks - they don't cost anything.
Ah, I see where you might have taken exception to my post, now. You're probably referring to the part where I stated "...but the land is entirely American-owned."
I gotcha, yeah... except, if it's illegal for a foreigner to own land in the U.S. then if there were a property dispute over those particular holdings, the government can step in and say "Oh, hey, you're not allowed to own that, regardless of any transaction you may think you made. That's property of the U.S. government now, and if you have an issue with it, feel free to sue the person or entity that 'sold' it to you for fraud."
It is illegal for a person who is not a US citizen to own land in the United States.
You're an idiot.
Wait, let me see if I have this right... You're calling me an idiot for stating a fact? Seriously? And "supporting" your assertion with a search for foreign owned land?
Saying "foreign ownership of U.S. soil is illegal" doesn't mean people haven't sold it to foreigners, just like saying "ownership of this plant is illegal" doesn't magically remove it from the ground it is currently growing in, nor magically keep its seeds from sprouting in the next growing season.
How, exactly, does this make *me* the idiot in this discussion?
"Drive by download" is just a made up excuse by people who don't want to admit to what they were doing when they installed some malware yet again.
Yeah, like the user moving their mouse out of the way to read the text of an article, and coincidentally mousing over an ad purchased by a malware distributer that *looks* legit, and is on a legit site, but is actually just a method to throw their nasty bot into the download stream.
And before you protest that you've never seen that happen, I would like to inform you that I have - with my own eyes. Anecdotal evidence aside, this is factual to me.
More and more frequently, I'm seeing people saying that Windows is the primary security risk on the internet. Perhaps we should look into that.
Response != disagreement.
Although in this case, I'm responding to you because there's no "-1, Slow-On-The-Uptake" modifier.
Then there's the little matter of China owning enormous chunks of the U.S....
You speak as if there are real properties involved, ie, land.
It is illegal for a person who is not a US citizen to own land in the United States.
I'm not saying that we don't owe other countries money, goods, or services, but the land is entirely American-owned.
Thank you, drive through.
And Heinlein is still a good read, especially Starship Troopers and Stranger in a Strange Land.
... and in case it's necessary to point it out for those who think otherwise, Starship Troopers the movie has very little to do with Starship Troopers the book.
"Remote execution/privilege-escalation exploit" is the category of issue you're thinking of, not security exploits in general.
You are absolutely correct, thank you for the correction and information.
Several of the AC posts were ignored, due both to a general distaste for someone unwilling to provide me with even a pseudonym to respond to, and the idea that religious fervor has no place in a serious discussion of the merits of an OS; but you caught right on to what I meant, even if I didn't express myself properly - I bet your users are quite happy.
The best advice is move sshd off of port 22, establish and configure your IDS and response, move sshd back to port 22.
I disagree. The best advice (in my opinion) would be to configure your box behind a firewall, and only move it out into the "world" once it is patched and secured.
As far as securing ssh, what's wrong with port knocking? I've heard some security professionals claim that port knocking is security through obscurity, sure, but... with > 65,000 ports to choose from, picking the correct ports to "knock" on, with the right tcp flags in the packets, with no mistakes between them, and then logging in on the correct ssh port within the time limit before the port automatically closes again...
... kinda like walking around a house, hoping to knock on the correct number of bricks, in specific locations all around the house, then getting to where the door is in time to insert your key... without knowing where the door is ahead of time, either.
In other words, good luck. The only open port on my entire network is 80, because the only public service I'm running is a web server.
I don't even bother logging the attempts to brute-force my ssh, because 22 isn't open.
In short, having sshd open to the world, on the standard port, is probably an indication that a system can be broken into more easily than one which does not appear to be running sshd on the standard port.
A machine not running SSHD is more likely to be a Windows box which is more easily broken into.
Good point.
You failed to read the linked article, where it explains all of the things you just wasted time and bandwidth bitching about. Congratulations.
To recap: Vista and 7 *combined* have less than a third of the market share of machines professing to be "Windows". An actual figure bandied about was 66%. Another was barely over 60%. If you spent less time jumping to conclusions with your MSFT fanboyism, you would realize that in the past 3 years, despite 2 new OS releases from MSFT, their previous Os is still dominating their market.
As far as whether you can combine Vista and 7 into one lump of crud... can you name one feature in 7 that isn't in Vista's pre-release "announced features"? Without googling? Yeah, didn't think so. Most (non-techie) people can't tell the difference between the two without pressing window-break (a keyboard shortcut to "Control Panel, System" or "Right-click My Computer, choose Properties".
By many accounts, 7 is just what Vista should have been when it was released, and they still haven't hit the whole set of announced features for Vista, even with 7 Ultimate. Kinda dropped the ball, there, fellas.
Adding in the ridiculous learning curve, and the lack of backwards compatibility (not counting the virtual appliance that is "XP Mode" and can be accomodated via virtualbox just as well), and I decided to stop paying the MSFT tax and learn Ubuntu, instead... and I'm an MCP.
--
Microsoft has jumped the shark.
I have AdBlock running. It doesn't get rid of all the other shit like "we suggest you like this commercial entity's page". It's a fucking ad plain and simple.
Not sure which ads specifically you're referring to, unfortunately, but there are addons to deal with textual ads, as well.
Not sure exactly what you're bitching about, to be honest, since the problem as I understood it was mainly the flash-based ads that shout at you or have other annoying sounds to "attract your attention".
Shooting them in the head would be even cheaper, and would create only a slightly lower probability of them being revived.
Why waste bullets? Do them like we do cattle in the beef industry, and just use a nail gun that doesn't let go of the nail.
What, it's not sterile? So what? It's being used to KILL YOU.
I have the same argument against using sterile medical equipment when administering the death penalty. I'm willing to bet that dragging someone kicking and screaming into a room with windows and video cameras, strapping them to a gore-stained chair, then holding a nail gun against their forehead and pulling the trigger would be a helluva lot more effective deterrent then the current method.
And before you argue against me, consider this:
It is just as humane, the actual death is just as fast as current methods, if not faster.
It's less wasteful of resources, both materials used and energy used are less.
If publicized, capital crime rates would drop among any of those who could be considered sane.
Compare the following statement:
"If I perform this act, I will be put in a cage, cared for for many years, and then quietly euthanized."
with this one:
"If I perform this act, I will be dragged into a room and have my head cracked open by a high-velocity hunk of metal as soon as the trial is over."
Yes, this seems to be quite a grisly and gruesome fate. If we believe that it is right and proper to remove someone's life, why hesitate? Why be nice to them? Why go to the extra time, trouble, and expense of feeding them 3 times a day, caring for their medical problems, etc, for years, even decades? The only thing better to do with someone who committed a capital crime, in my opinion, would be to use them for medical experiments. At least then they'd be good for *something*.
"Ok, the jury found you guilty of premeditated murder. Come with me, we need to shave your head so we can get a good view of the nail coming out the back..."
This leads into a huge off-topic rant (like this whole thread hasn't been off-topic, right?) about how we shouldn't be locking up people who haven't harmed other people, victimless crimes aren't crimes, etc... or it can wander off into a discussion of exactly how bad for society someone needs to be before we decide they're not able to be rehabilitated, and just chop off their heads or splat them open or whatever.
Locking someone up has been proven to not only *not* be a deterrent, but to produce hardened criminals from those who otherwise would never have done anything worse than consume substances some people choose to consider "evil" (drugs), or pay for something that is perfectly legal to give away for free (sex).
Man, I oughta write an essay, or something; I appear to have quite an opinion on this topic.
Either that or you find queens that have survived a collapse and breed them with normal bees, who haven't developed an immunity.
Sounds good, except for the part where the collapse seems to be 100% fatal.