He's not the type to hack randomly, he's only interested in targeted attacks with big payouts.
Yeah, whatever. If I was an evil cracker I'd be damn sure to randomly target machines so I could use them for my targeted attacks. And I'd want a lot of them so I could bounce the attack through them to make it more difficult to find me.
If anything, if this guy was such a great cracker/hacker, wouldn't he already know about the percentages? Cracking any single specific machine is difficult. Cracking any random machine in a specific block would be much easier.
Then you'd use that machine (those machines) to more easily target the specific machine.
Does anyone remember during our own elections where people would forward emails to all their friends quoting quoting quoting quoting some email with less-than-100%-factual claims from someone you've never heard of before?
Was that a cyberwar? No, that was PR and the medium was email.
Just because something you don't like somehow touches the Internet does NOT make it a "cyberwar".
Last week when I posted that we were in fact actually at cyber war, I was roundly ridiculed for not knowing what I was talking about because I am not a sysadmin.
And they were right to do that. A sysadmin knows the difference between a website and a war. Websites are cracked all the time by script kiddies. Websites are shut down all the time by lawyers.
Who cares? All this does is attract MORE attention to whatever content those websites were hosting.
For home users, this will lead to just another popup for them to click through to get the thing they want.
No. If done correctly, this will ONLY appear when they are installing something that is dangerous.
How should they know if it is just too new and not covered by the whitelist or actually bad?
Because most users don't intentionally install software that is that new. They install Acrobat Reader and there is no pop-up. They install WoW and there is no pop-up. They install Trillian and there is no pop-up.
They try to install SexyLadies.jpg.exe and there is a warning pop-up. Whoa! That was unexpected. That didn't happen the other times.
If they're really pro-active they'd have an online option to check the file. Yep. It's infected with CodeSlammer3000.
Now, SOME users will install it any way. So what? This is about IMPROVING computer security. Not achieving 100% perfection.
Because when an exploit in Adobe Acrobat causes it to gain access to system files, the permissions for it to do so were already granted, so your box has been rooted.
And since the average user would have clicked through anyway... the net result is the same as the situation today.
At least with the system I described in my OP, when that happened, since it was never granted that permission by default, it would pop up "Hey, wait a minute! Acrobat is trying to do something that it was not given permission to do! Do you REALLY want to do this?"... Sure, novice users may click right through them,...
Again, the net result is the same as the situation today.
You can't stop stupidity, the most you can do is to put the tools in place for those who want to use them...
Except that that is not stupidity. Because clicking through all those screens is seen by the end user as just another part of the install process the end user will click through all those screens taking whatever the default is.
Stupidity is when the user is informed that something UNUSUAL is happening and NOT part of the expected process and clicks through anyway. Which means that the process CANNOT be part of installing regular, good applications.
Or perhaps stop using losing strategies like Default Permit when it comes to security.
Exactly. AV software is just an example of Enumerating Badness which in the long run is a very very bad strategy.
And impossible. As you address later. AV software is useless against a custom virus I write just for attacking your system.
Which is why whitelists would go a long way towards solving most of these "problems". The problem isn't windows. the problem is that people keep using terrible strategies.
I'll disagree because the security model behind Windows is based upon the other elements you've already identified as problems.
And Microsoft made that security model in that fashion so that they could leverage sales of one product to sell other products. Which is why you find RPC in so many of their products.
Look at what you'd consider "best practices" for security. Then compare Win2K to Win2K8 or Win7. Microsoft has made some improvements. But Win7 is still vulnerable to the same attacks that Win2K was.
Or you could reverse the antivirus idea, and build a giant database of checksums.
Yes. And not only checksums, but hashes and signatures and so forth. The more ways to verify a file is from a KNOW vendor, the better.
So inevitably the user will run into something unsigned they want to run.
Hold that right there.
You left of "legitimate, non-malware app".
Is this stops the user from installing a virus or whatever, that is good. Even if the user THOUGHT that s/he wanted to install it.
It'll need a checksum for every obscure software out there, in every possible version.
Why? Wouldn't that be a way to differentiate between the various anti-virus companies? As long as the vendor you went with supported all the software that you wanted... you'd be happy. Or you could go through the hoops and install it anyway.
WoW released an update today? You can't play until the DB gets updated.
See above. You would spend your money with the more responsive vendor. Or you'd go through the hoops.
Add to that that no company will analyze every byte of every binary, and them listing a trojaned version as valid is quite possible.
Why would you need to? If the hashes and signatures and so forth aren't enough to show that that file came from that vendor, oh, wait, they would be.
You can't possibly whitelist every legitimate image.
Again, you wouldn't need to.
We're talking about zombie networks that have MILLIONS of infected machines.
If you are the vendor of an app that has MILLIONS of installs, wouldn't you be able to sign your own work? And coordinate with the anti-virus vendors to list your app?
And if you aren't talking about MILLIONS of installs then you admit that this approach solves the biggest problem with such malware.
But there's little interest for antivirus vendors in that, as if we got there there wouldn't be improved versions or database updates to sell.
That's because the anti-virus vendors don't have the LEGAL RIGHTS to do that.
The BEST that they could do would be to alert the end-user that application X has KNOWN VULNERABILITIES and needs to be REMOVED OR UPGRADED as soon as possible.
So when you install the app, it'll tell you every permission that it has, and if you don't agree with them, it doesn't install (Or possibly gives you the option of running in a reduced permissions mode, if the developer allowed it).
No way! That would be the same (effectively) as the current situation for the end user. They'd just click through because they wouldn't understand the implications.
No. I'm suggesting more along the lines of NOT throwing up any alerts if the file's hashes and signatures match KNOWN releases from KNOWN companies. So an install of Adobe Acrobat goes through without throwing up warning... but the website downloading malware_1.dll to c:\windows\system32 throws up multiple, sequential windows with the option to compare that file to online databases of known malware.
Make the warnings appear when the other avenues of verification have failed so that they are UNUSUAL and not just part of Windows' regular behaviour.
You mean like how OSX and Linux does WITHOUT Antivirus?
Sure! It's not like Microsoft is going to start changing Windows any time soon, is it? (the expected answer is "no")
People claim that OSX has no viruses because it's a tiny target.
Those people are confusing "security" with "marketshare".
And the more hoops you make a user go through for LEGITIMATE threats, the less likely that that threat will be realized.
As opposed to the current situation on Windows where EVERY new app is considered a threat. Which means that the situation is more of a "new app detector" than a "virus detector".
Not to mention that the anti-virus app can then "scan your machine for possible threats" and tell you that apps A, B, C, D and E are out of date and have patches available.
The problem is whitelisting limits what you can install.
Yep! And then we'd FINALLY see some improvement in anti-virus competition. Which company has the more complete whitelists? Or which company has the whitelists that work for YOU?
Adding programs to the whitelist is time intensive, and the major benefit of Windows is the fact that there's so much stuff out there you can run on it.
Two points there: 1. adding programs is time intensive - which is why you'd rely upon the anti-virus updates. It is time intensive for one person... but an anti-virus company should be able to handle it easier than making signature files for potential threats.
2. Windows has a lot of stuff that will run on it - which is (one of the reasons) why viruses (and such) spread so easily on it. But at least this way, the user will have a real option instead of the current situation.
The security industry will always be unable to protect everyone 100% of the time.
The problem is that they haven't even hit the 50% mark. They cannot even, reliably, detect threats that are over a year old.
AntiVirus is imperfect as it relies on signatures and known processes, and will always be imperfect.
Exactly. Which is why that needs to change. Instead of trying to chase the latest variant of a threat, why not save time and effort and identify the LEGITIMATE files? Then, if something is trying to write a file to the OS portion of your drive, and that file is not recognized, it should block it (and MAYBE allow the user to override it after a few hoops and maybe online comparisons with the latest threat databases).
In my opinion, as long as the security industry, and end-users as a whole, continue with the thought that end-user basic security ignorance is OK, things will never get better.
I think it is different. The "security industry" depends upon the ignorance of users and the continuation of those users being infected.
It is not in the "security industry"'s best interest to commit to real improvements in security.
The "security industry" is NOT interested in putting itself out of business by selling WORKING products.
That's why the "perfectly installed antivirus" gets daily updates and STILL CANNOT TELL A GOOD FILE FROM A BAD FILE.
Here's a radical new concept. How about an antivirus program that BLOCKS file writes to the operating system UNLESS that file can be confirmed to be "good"?
It's far easier to identify the files that SHOULD be allowed than it is to identify a possible threat.
It will probably turn up a few addresses. Now all that's left is to geo-locate your IP address and dump the addresses close to that location onto Google Maps.
Even if you have an unlisted phone number your address is easy to find.
Instead of buying a distribution, how about hiring some of the coders and providing them with specs to get your money-making products ported to ALL Linux distributions?
Then pay bounties for improvements you need/want in other areas of Linux.
Your company and products end up distribution-agnostic and you have lots of good will from paying the coders who are furthering Linux. And you can do it for a LOT less than the price of buying a whole distribution.
So that would make an attempt to IMPLEMENT his "prediction" taking place when he was FIVE YEARS OLD.
Isn't it kind of hard to "predict" something that someone else has already spent the time and energy on to attempt an implementation?
Oh, and
The Cloud (or the Internet Operating System, IOS -- "Cloud 1.0") will take charge of your personal machines.
You might want to check with Cisco first. They might have a problem with you using that TLA and name. It's rather close to what they've been marketing FOR YEARS.
Now, why are the ramblings of this guy of any interest to anyone?
Anyone can make a prediction. I'll make a prediction right now that one day we'll have a man on Mars.
The problem is how ACCURATE is the prediction. And his predictions are pretty useless. They're filled with current buzzwords and have no falsifiable content. Take prediction #5:
5. Consider Web search, for example. Modern search engines combine the functions of libraries and business directories on a global scale, in a flash: a lightning bolt of brilliant engineering. These search engines are indispensable -- just like word processors. But they solve an easy problem. It has always been harder to find the right person than the right fact. Human experience and expertise are the most valuable resources on the Internet -- if we could find them. Using a search engine to find (or be found by) the right person is a harder, more subtle problem than ordinary Internet search. Small pieces of the problem have been attacked; in the future we will solve this hard problem in general, instead of being satisfied with windfalls and the lowest-hanging fruit on the technology tree.
WTF? I'm not going into whether a search engine is an "easy problem". Everything is easy once it has been done by someone else.
But why does he believe that finding PEOPLE is an issue? This is the INTERNET. You can find published information ABOUT people. But PEOPLE are not abstracted and defined on the Internet.
And yes, in the "future" this "problem" will be "solved". When, how, where and by whom is skipped. So this "prediction" cannot be falsified. Therefore, it can never be shown to be wrong.
What would you call a regular series of attacks on our military headquarters using computers, hmmm?
I'd call it "the daily life of a firewall". Seriously, check your firewall logs. Mine are being "attacked" every hour of every day and I'm not a military installation.
Slashdot Mirror
Yeah, whatever. If I was an evil cracker I'd be damn sure to randomly target machines so I could use them for my targeted attacks. And I'd want a lot of them so I could bounce the attack through them to make it more difficult to find me.
If anything, if this guy was such a great cracker/hacker, wouldn't he already know about the percentages? Cracking any single specific machine is difficult. Cracking any random machine in a specific block would be much easier.
Then you'd use that machine (those machines) to more easily target the specific machine.
Does anyone remember during our own elections where people would forward emails to all their friends quoting quoting quoting quoting some email with less-than-100%-factual claims from someone you've never heard of before?
Was that a cyberwar?
No, that was PR and the medium was email.
Just because something you don't like somehow touches the Internet does NOT make it a "cyberwar".
And they were right to do that. A sysadmin knows the difference between a website and a war. Websites are cracked all the time by script kiddies. Websites are shut down all the time by lawyers.
Who cares? All this does is attract MORE attention to whatever content those websites were hosting.
No. If done correctly, this will ONLY appear when they are installing something that is dangerous.
Because most users don't intentionally install software that is that new. They install Acrobat Reader and there is no pop-up. They install WoW and there is no pop-up. They install Trillian and there is no pop-up.
They try to install SexyLadies.jpg.exe and there is a warning pop-up. Whoa! That was unexpected. That didn't happen the other times.
If they're really pro-active they'd have an online option to check the file. Yep. It's infected with CodeSlammer3000.
Now, SOME users will install it any way. So what? This is about IMPROVING computer security. Not achieving 100% perfection.
Exactly correct. An alarm is NOT an alarm if it is continually triggered by regular activities.
And since the average user would have clicked through anyway ... the net result is the same as the situation today.
Again, the net result is the same as the situation today.
Except that that is not stupidity. Because clicking through all those screens is seen by the end user as just another part of the install process the end user will click through all those screens taking whatever the default is.
Stupidity is when the user is informed that something UNUSUAL is happening and NOT part of the expected process and clicks through anyway. Which means that the process CANNOT be part of installing regular, good applications.
Or perhaps stop using losing strategies like Default Permit when it comes to security.
Exactly.
AV software is just an example of Enumerating Badness which in the long run is a very very bad strategy.
And impossible. As you address later.
AV software is useless against a custom virus I write just for attacking your system.
Which is why whitelists would go a long way towards solving most of these "problems".
The problem isn't windows. the problem is that people keep using terrible strategies.
I'll disagree because the security model behind Windows is based upon the other elements you've already identified as problems.
And Microsoft made that security model in that fashion so that they could leverage sales of one product to sell other products. Which is why you find RPC in so many of their products.
Look at what you'd consider "best practices" for security. Then compare Win2K to Win2K8 or Win7. Microsoft has made some improvements. But Win7 is still vulnerable to the same attacks that Win2K was.
Yes. And not only checksums, but hashes and signatures and so forth. The more ways to verify a file is from a KNOW vendor, the better.
Hold that right there.
You left of "legitimate, non-malware app".
Is this stops the user from installing a virus or whatever, that is good. Even if the user THOUGHT that s/he wanted to install it.
Why? Wouldn't that be a way to differentiate between the various anti-virus companies? As long as the vendor you went with supported all the software that you wanted ... you'd be happy. Or you could go through the hoops and install it anyway.
See above. You would spend your money with the more responsive vendor. Or you'd go through the hoops.
Why would you need to? If the hashes and signatures and so forth aren't enough to show that that file came from that vendor, oh, wait, they would be.
Again, you wouldn't need to.
We're talking about zombie networks that have MILLIONS of infected machines.
If you are the vendor of an app that has MILLIONS of installs, wouldn't you be able to sign your own work? And coordinate with the anti-virus vendors to list your app?
And if you aren't talking about MILLIONS of installs then you admit that this approach solves the biggest problem with such malware.
That's because the anti-virus vendors don't have the LEGAL RIGHTS to do that.
The BEST that they could do would be to alert the end-user that application X has KNOWN VULNERABILITIES and needs to be REMOVED OR UPGRADED as soon as possible.
No way! That would be the same (effectively) as the current situation for the end user. They'd just click through because they wouldn't understand the implications.
No. I'm suggesting more along the lines of NOT throwing up any alerts if the file's hashes and signatures match KNOWN releases from KNOWN companies. So an install of Adobe Acrobat goes through without throwing up warning ... but the website downloading malware_1.dll to c:\windows\system32 throws up multiple, sequential windows with the option to compare that file to online databases of known malware.
Make the warnings appear when the other avenues of verification have failed so that they are UNUSUAL and not just part of Windows' regular behaviour.
Sure! It's not like Microsoft is going to start changing Windows any time soon, is it? (the expected answer is "no")
Those people are confusing "security" with "marketshare".
And the more hoops you make a user go through for LEGITIMATE threats, the less likely that that threat will be realized.
As opposed to the current situation on Windows where EVERY new app is considered a threat. Which means that the situation is more of a "new app detector" than a "virus detector".
Not to mention that the anti-virus app can then "scan your machine for possible threats" and tell you that apps A, B, C, D and E are out of date and have patches available.
Yep! And then we'd FINALLY see some improvement in anti-virus competition. Which company has the more complete whitelists? Or which company has the whitelists that work for YOU?
Two points there: ... but an anti-virus company should be able to handle it easier than making signature files for potential threats.
1. adding programs is time intensive - which is why you'd rely upon the anti-virus updates. It is time intensive for one person
2. Windows has a lot of stuff that will run on it - which is (one of the reasons) why viruses (and such) spread so easily on it. But at least this way, the user will have a real option instead of the current situation.
If security is that difficult, then why haven't all the banks been emptied by now?
Yeah, read the whole thread. You might notice that that was my original point.
The "security industry" has no real interest in solving (or reducing) the problem because they're making so much money off of it.
If they did want to fix the issue, the simple example I gave would go a long way towards doing just that.
But they don't do that. See the sentence above the sentence right above this one.
No? Then it isn't an issue.
Now, if you're trying to store your shopping list on c:\windows\system32 ... then the anti-virus app should block you.
As for who has the authority ... that would be the anti-virus vendor. The same people who you've given the authority to tell you what is a virus today.
A side benefit of this would be that the anti-virus app could also tell you that you have vulnerable, unpatched apps on your system.
The problem is that they haven't even hit the 50% mark. They cannot even, reliably, detect threats that are over a year old.
Exactly. Which is why that needs to change. Instead of trying to chase the latest variant of a threat, why not save time and effort and identify the LEGITIMATE files? Then, if something is trying to write a file to the OS portion of your drive, and that file is not recognized, it should block it (and MAYBE allow the user to override it after a few hoops and maybe online comparisons with the latest threat databases).
I think it is different. The "security industry" depends upon the ignorance of users and the continuation of those users being infected.
It is not in the "security industry"'s best interest to commit to real improvements in security.
The "security industry" is NOT interested in putting itself out of business by selling WORKING products.
That's why the "perfectly installed antivirus" gets daily updates and STILL CANNOT TELL A GOOD FILE FROM A BAD FILE.
Here's a radical new concept. How about an antivirus program that BLOCKS file writes to the operating system UNLESS that file can be confirmed to be "good"?
It's far easier to identify the files that SHOULD be allowed than it is to identify a possible threat.
Go to www.zabasearch.com and type in your name.
It will probably turn up a few addresses. Now all that's left is to geo-locate your IP address and dump the addresses close to that location onto Google Maps.
Even if you have an unlisted phone number your address is easy to find.
Because the spammers and such are paying good money for such "bullet-proof" hosting sites.
Meanwhile, the more legitimate ISP's don't want to spend the money to block the command/control servers individually on their networks.
I still prefer their file/directory rights system. And eDirectory was decent. And GroupWise was decent.
Instead of buying a distribution, how about hiring some of the coders and providing them with specs to get your money-making products ported to ALL Linux distributions?
Then pay bounties for improvements you need/want in other areas of Linux.
Your company and products end up distribution-agnostic and you have lots of good will from paying the coders who are furthering Linux. And you can do it for a LOT less than the price of buying a whole distribution.
So that would make an attempt to IMPLEMENT his "prediction" taking place when he was FIVE YEARS OLD.
Isn't it kind of hard to "predict" something that someone else has already spent the time and energy on to attempt an implementation?
Oh, and
You might want to check with Cisco first. They might have a problem with you using that TLA and name. It's rather close to what they've been marketing FOR YEARS.
Now, why are the ramblings of this guy of any interest to anyone?
He's "...someone worth paying attention to..." but he cannot make decent predictions about the material he is supposed to be worth listening to about?
He cannot even clearly define the buzz words he fills his "predictions" with. That article is not worth reading.
Anyone can make a prediction. I'll make a prediction right now that one day we'll have a man on Mars.
The problem is how ACCURATE is the prediction. And his predictions are pretty useless. They're filled with current buzzwords and have no falsifiable content. Take prediction #5:
WTF? I'm not going into whether a search engine is an "easy problem". Everything is easy once it has been done by someone else.
But why does he believe that finding PEOPLE is an issue? This is the INTERNET. You can find published information ABOUT people. But PEOPLE are not abstracted and defined on the Internet.
And yes, in the "future" this "problem" will be "solved". When, how, where and by whom is skipped. So this "prediction" cannot be falsified. Therefore, it can never be shown to be wrong.
That article is crap.
I'd call it "the daily life of a firewall". Seriously, check your firewall logs. Mine are being "attacked" every hour of every day and I'm not a military installation.
Can you show me on this doll where he said that he was touching your avatar?