Is it just that no matter how much money you throw at the problem, basic security procedures... are going to be ignored by certain members of staff?
I think that's actually a big part of the problem.
should a company be brought to near bankruptcy for the mistake of a single employee?
If the threat of that is what it takes to force companies to arrange their affairs more securely, then quite possibly yes.
Some people take security seriously; most don't. "All you have to do" to run a secure operation is: (1) Arrange that only a few people have access to sensitive data or are otherwise in a position to ruin the company. (2) Identify which of your employees truly take security seriously and which can't be bothered. (3) Match trustworthy employees with sensitive positions, as appropriate.
Why should anyone be able to ruin your finances by just knowing some numbers?
Excellent question.
One big problem is that in the U.S., at least, we've generally conflated identification with authentication. But they're two very different problems.
If, for example, Social Security numbers were only ever used for identification -- telling two different John Smiths apart, for example -- it wouldn't matter if they were public. In fact I've heard that one of the Scandanavian countries publishes a freely-available database of everyone's identification numbers. Besides being convenient, this ensures that nobody ever sets up a scheme that stupidly uses an identification number as an authenticator.
The big problems arise when the same number that's widely used for identification -- e.g. a SSN -- is also used for authentication.
It wouldn't be so bad if all it took to pove to my bank that I'm me was a number or word, as long as that number or word is secret, and only used for that purpose, so that it has a decent chance of staying secret.
There have been viruses which send out replicas in encrypted zip files by email... People dutifully followed the instructions and launched the viruses on their machines.
How sure are you? And how many people are we talking about?
I've seen plenty of those encrypted zipfile viruses, too, but I always assumed that most if not all of them were first-wave attacks, not manual propagations.
Fixing those issues still won't totally solve the problem.
There is no total fix, no question. But three 75% fixes give you (if they cascade) a 98% solution.
We need user education.
User education is part of the solution, but it's not a total solution, either.
We've been trying it for years, and it doesn't work very well. If the first line of defense against malware is having people not click on suspicious attachments, we'll drown in viruses forever, because there are 1,000,000 ways to trick people into clicking on attachments.
The whole concept of web plug-ins is based on installing software on demand. If you don't have the Flash player on your computer and you go to a flash web site you can get the Flash player just by clicking on something.
Oh, I understand that. That's why I asked, "How different would the computing landscape be?". From what you're saying, we might not have Flash-enabled web pages, but we wouldn't have spyware-infested toolbars and botnets, either. (Sounds like a reasonable tradeoff to me!:-) )
That's a good question. My answer is that the main problems with the current protocol is a lack of certain features, chief among them being authentication. Now, on the one hand, you could say that we could just add those features to the current protocol, rather than abandoning it. On the other hand, you could say that it'd be nearly impossible to get everyone to upgrade to the newer version of the protocol. But on the first hand again, you could say that getting everyone to upgrade would be no more work (and probably much less) than getting everyone to convert over to some completely new protocol.
(Personally, and on the second hand again, I'm afraid that eventually we're going to have to convert over to some completely new protocol, simply because it's easier to talk about and manage, even though the conversion will be much more work. "CMTP [the new Complex Mail Transport Protocol] supports authentication and other antispam features, SMTP doesn't. If you're not talking CMTP, you can't fight spam and you can't talk to me. Convert now and stop complaining.")
Okay, you're right. MacOS, Linux, Unix, and the rest are all exactly as insecure as Windows, if not more so. The only reason there's so much malware for Windows is because the bad old malware authors target it unfairly.
But you know what? It doesn't matter. There still is so much malware for Windows. It's a worldwide epidemic. It affects me rather badly (all this botnet-sent spam in my mailbox) even though I don't use Windows at all.
With that popularity and market share comes some responsibility. Get down off your high horse and fix your damn problem, you Windows users. You may be sick of my "I am invulnerable because of the OS I run" attitude, but I'm just as sick of your "it's not our fault, it's the hackers' fault" excuses. Windows has become a true plague upon the internet, because of the botnets it supports.
Think of all the humans out there who did nothing more than be born. The fact that they get infected by smallpox and serve as part of an epidemic means the fault doesn't lie with the victim!
Sometimes, concern for public health leads to mandatory immunization against epidemic disease. Similar arguments could be used to support mandatory measures to improve the security of individual machines on the public internet.
I don't deny that laws to enforce individual computer security in this way would be difficult to define and enforce. (Nor am I seriously proposing them: this is just a thought experiment.) But the emergence of these botnets proves that we do have the computing equivalent of a public health problem on our hands. And it's true, the fault does not lie with those end users. But they may be part of the solution, whether they like it or not. (And if it's vital to solve the problem, and none of the other solutions will work, we may have no choice but to go with such a solution, even if it does seem to blame the victims.)
I hear you, but: put yourself in the shoes of "Joe Homeowner" for a moment, if you will. You know nothing about chemistry or combustion. You simply purchased your house because you needed a roof over your head. But the law requires you to install smoke detectors (and, in many jurisdictions now, also carbon monoxide detectors). In fact, the reason this is a law is precisely because the average homeowner knows nothing about chemistry or combustion; that's why people need emphatic (enforceable) reminders to install these safety devices.
So a law that mandated safe computing clearly would not be out of the question, and would not be "blaming" those computer users who did nothing more than purchase a brand new PC in order to use it for its intended purposes.
The OS stats had nothing to do with probing the machines from the outside, before infection, with nmap or the like. They were reported by the botnet client, running on the infected machine, after infection. If you've got code running on a machine, it's pretty easy to definitively figure out what OS and version it's running, without resorting to externally-visible fingerprints.
The people behind this are clever. How can we compete effectively?
By competing at all, by being remotely clever ourselves, because at the moment we're not.
These botnet clients all rely on viruses and other sorts of malware to propagate, of course. Now: where is it written that computers must be vulnerable to viruses? You can say that no software is perfect and that bugs are inevitable, but that's missing the point: the popular, "modern" computer operating systems are specifically designed in a way that ends up making it very easy to write viruses and other infectious code. We hand the virus writers the exact tools they need, on a silver platter.
Why is it even possible for your email client to run code out of an email message you've just received? How often do you want to do that legitimately? How different would the computing landscape be if that capability simply didn't exist?
Why is it even possible for a website to install code on your machine simply by visiting it? How often do you want to do that legitimately? How different would the computing landscape be if that capability simply didn't exist?
I hope I'm not being Chicken Little, but there's much worse that botherds could do with their botnets than just sending stock scam and penis pill spam. I'm wondering if the only solution won't be for major governments to take major action (perhaps under the guise of national security), and I'm not sure this would be a bad thing. What if it were made a (minor) crime to operate a computer that's vulnerable to being a botnet node? The only question would be, who would pay for the cleanup: the vulnerable machine owners, Microsoft, or taxpayers?
what is the largest inherent flaw within electronic voting systems today?
Here's one: the fact that machines are willing to load new code off of memory cards during everyday use, which means that worst-case scenarios like the Princeton virus attack are possible. (When I first came across a reference to the Princeton virus attack, I assumed it was bad science fiction; nobody would be stupid enough to make a machine that was vulnerable to that sort of attack. Wrongola.)
"Score another one for spammers." And deduct another one (or ten) from us.
I hate to sound cynical, but this story is not news. There is nothing new here. There have been thousands of different attacks like this, and there will be thousands more.
We (the slashdot community, the IT world, the rest of the world) have to make a choice here:
1. Easy, 1-click executability of untrustworthy active content in emails and the like is a serious bug which must be aggressively stamped out.
2. Having people get pwned like this is an unfortunate fact of life, like disease and bad weather. We may be able to ameliorate it somewhat, but it's not a problem we can ever meaningfully solve, so we should stop complaining, stop treating every new socially-engineered email virus vector as "interesting", and learn to live with it.
Now (being as how I've already admitted I'm in a cynical mood), I can say that I do realize full well that (1) will never happen, and that we've already gone wholeheartedly with option (2).
We've all had this discussion a thousand times before, so to save time, let's just skip it with some of the predictable, defensive responses. Don't say, "but there are good uses for easy, 1-click executability, it's a feature users need and want." All you're really saying is, let's go with option (2). Don't say, "Removing 1-click executability wouldn't help, because stupid users would just download and save the attachments and execute them manually." If you believe that disallowing clickability wouldn't help (wouldn't make the spread of email viruses a thousand times less rampant), all you're really saying is, let's go with option (2).
This is a really basic question and it seems I should know an
answer, but it never seems to be discussed: Why are the
electronic voting machine companies generally so dead-set against
emitting verifiable and auditable paper records? It can't just
be cost, because they could and would just pass that on to their customers.
This whole thing is like selling diseased spinach, and turning around and criticizing the people who consume it for having shitty immune systems. True?
Absolutely not. It's like selling diseased spinach, and turning around and criticizing the farm you bought it from for having poor sanitation, and/or criticizing the cattle ranch uphill of the farm you bought it from for having poor wastewater management practices.
For some computers it's hardly uncommon.
For computers with an emphasis on security, it's very rare.
and something you can't plan for.
No, the lesson of this thread is that, if you're using Windows computers, you have to be acutely aware of, and to plan for, this occurrence.
if I borrow a friend's car, and leave the car door unlocked, it's unacceptable that it gets stolen.
There's little point trading these analogies, but:
what if you borrow your friend's car, and you do lock the door, but the car gets stolen, because your friend forgot to tell you to disable the feature his car has that, for convenience, lets anyone roll down the windows from the outside.
Ironically, it sounds like the virus got onto the iPods as a post-manufacturing quality check...
Gad. I hadn't heard that. That is ironic. Thanks.
(Kinda gives the lie to those who are pounding the table saying "Apple should have double-checked more carefully!". What can you do when the very last, right before you seal the box, double-check step can itself introduce the problems? What a mess.)
it'd show those assholes that finally we mean business.
But we don't mean business. If we meant business, we might insist that Microsoft actually disable some of the gaping holes that make the rampant virus problem possible. But instead, we (well, some of us, apparently, but enough to give Microsoft the excuse) insist that any "hardening" of the OS or browser against viruses must not impede our god-given right to email each other easily-runnable executables when we want to, or to perform 1-click installs of browser extensions when we want to. But since there's no way for the OS to distinguish between emailed executables from your buddy, versus email viruses; or between 1-click installable toys that you want, versus spyware; we basically tell Microsoft that we want the virus and malware problems to continue. Microsoft can't fix the problem, even if they want to (not that it's cleasr that they want to), because we've gotten so accustomed to the stupefyingly dangerous "features" which underlie the virus problem that we refuse to wean ourselves from them. (Or so it seems.)
"Microsoft has got nothing to do with this. Nothing!"
Nothing? Nothing at all? The fact that they invented a fundamentally insecure mechanism called autorun, and then made it enabled by default, played no part whatsoever in this scenario?
That's like if a food company sold some food with harmful bacteria or viruses in it. Would you blame them for shipping tainted food products, or pass the blame off saying they weren't the ones who designed humans to be susceptible to illness in the first place.
You're missing the point. It's like if a food company sold some food with harmful bacteria in it, and they discovered that the raw ingredients were subtly contaminated when they got them, and the problem was that the field where the raw ingredients were grown was downhill from a cattle ranch, such that the manure from the ranch ran downhill into the field. The food company, while accepting the blame for not doing more testing, might, yes, try to assign part of the blame to the downhill field and/or the uphill cattle ranch.
Or if a mechanic didn't do a good job fixing my car and a critical part wasn't fastened good enough, is the mechanic's fault if I drive over a pothole and shake that part loose and my car stops working?
You're still missing the point. A better analogy here would be that the mechanic fastened the part with a bolt of a specified strength, except that the bolt he used was unwittingly purchased from a corrupt manufacturer who made it to a lower quality standard but fraudulently marked and sold it as if it were high-quality. (And in fact such fraudulently-marked bolts have become a real problem in the mechanical industry.)
Apple's potshot against Microsoft was not to say that Apple's customers ought to be immune from the Windows viruses inadvertently introduced onto Apple's iPods. The potshot was, rather, that it was (in part) Microsoft who allowed the inadvertent introduction in the first place, during what ought to have been a straightforward, automatic, and trouble-free manufacturing and test process.
Please cite the latest report on a copier infected with a virus.
There haven't been any. That's the point of the analogy. It would be preposterous if a copier fell prey to this kind of failure more. It ought to be preposterous and unacceptable that Windows machines are so vulnerable. Why do we continue to accept it?
The quality check should ALWAYS be the last part of delivering any product
And as another poster pointed out, it was evidently during that last, random-sample quality check that the problem was introduced.
You may disagree, but YOU chose to use that print shop. YOU chose to let them ship your product without checking it first. Thus YOU are responsible for the final product.
Slashdot Mirror
I think that's actually a big part of the problem.
should a company be brought to near bankruptcy for the mistake of a single employee?
If the threat of that is what it takes to force companies to arrange their affairs more securely, then quite possibly yes.
Some people take security seriously; most don't. "All you have to do" to run a secure operation is: (1) Arrange that only a few people have access to sensitive data or are otherwise in a position to ruin the company. (2) Identify which of your employees truly take security seriously and which can't be bothered. (3) Match trustworthy employees with sensitive positions, as appropriate.
Excellent question.
One big problem is that in the U.S., at least, we've generally conflated identification with authentication. But they're two very different problems.
If, for example, Social Security numbers were only ever used for identification -- telling two different John Smiths apart, for example -- it wouldn't matter if they were public. In fact I've heard that one of the Scandanavian countries publishes a freely-available database of everyone's identification numbers. Besides being convenient, this ensures that nobody ever sets up a scheme that stupidly uses an identification number as an authenticator.
The big problems arise when the same number that's widely used for identification -- e.g. a SSN -- is also used for authentication.
It wouldn't be so bad if all it took to pove to my bank that I'm me was a number or word, as long as that number or word is secret, and only used for that purpose, so that it has a decent chance of staying secret.
How sure are you? And how many people are we talking about?
I've seen plenty of those encrypted zipfile viruses, too, but I always assumed that most if not all of them were first-wave attacks, not manual propagations.
There is no total fix, no question. But three 75% fixes give you (if they cascade) a 98% solution.
We need user education.
User education is part of the solution, but it's not a total solution, either. We've been trying it for years, and it doesn't work very well. If the first line of defense against malware is having people not click on suspicious attachments, we'll drown in viruses forever, because there are 1,000,000 ways to trick people into clicking on attachments.
We need some effective technical solutions, too.
Oh, I understand that. That's why I asked, "How different would the computing landscape be?". From what you're saying, we might not have Flash-enabled web pages, but we wouldn't have spyware-infested toolbars and botnets, either. (Sounds like a reasonable tradeoff to me! :-) )
That's a good question. My answer is that the main problems with the current protocol is a lack of certain features, chief among them being authentication. Now, on the one hand, you could say that we could just add those features to the current protocol, rather than abandoning it. On the other hand, you could say that it'd be nearly impossible to get everyone to upgrade to the newer version of the protocol. But on the first hand again, you could say that getting everyone to upgrade would be no more work (and probably much less) than getting everyone to convert over to some completely new protocol.
(Personally, and on the second hand again, I'm afraid that eventually we're going to have to convert over to some completely new protocol, simply because it's easier to talk about and manage, even though the conversion will be much more work. "CMTP [the new Complex Mail Transport Protocol] supports authentication and other antispam features, SMTP doesn't. If you're not talking CMTP, you can't fight spam and you can't talk to me. Convert now and stop complaining.")
But you know what? It doesn't matter. There still is so much malware for Windows. It's a worldwide epidemic. It affects me rather badly (all this botnet-sent spam in my mailbox) even though I don't use Windows at all.
With that popularity and market share comes some responsibility. Get down off your high horse and fix your damn problem, you Windows users. You may be sick of my "I am invulnerable because of the OS I run" attitude, but I'm just as sick of your "it's not our fault, it's the hackers' fault" excuses. Windows has become a true plague upon the internet, because of the botnets it supports.
Think of all the humans out there who did nothing more than be born. The fact that they get infected by smallpox and serve as part of an epidemic means the fault doesn't lie with the victim!
Sometimes, concern for public health leads to mandatory immunization against epidemic disease. Similar arguments could be used to support mandatory measures to improve the security of individual machines on the public internet.
I don't deny that laws to enforce individual computer security in this way would be difficult to define and enforce. (Nor am I seriously proposing them: this is just a thought experiment.) But the emergence of these botnets proves that we do have the computing equivalent of a public health problem on our hands. And it's true, the fault does not lie with those end users. But they may be part of the solution, whether they like it or not. (And if it's vital to solve the problem, and none of the other solutions will work, we may have no choice but to go with such a solution, even if it does seem to blame the victims.)
So a law that mandated safe computing clearly would not be out of the question, and would not be "blaming" those computer users who did nothing more than purchase a brand new PC in order to use it for its intended purposes.
The OS stats had nothing to do with probing the machines from the outside, before infection, with nmap or the like. They were reported by the botnet client, running on the infected machine, after infection. If you've got code running on a machine, it's pretty easy to definitively figure out what OS and version it's running, without resorting to externally-visible fingerprints.
By competing at all, by being remotely clever ourselves, because at the moment we're not.
These botnet clients all rely on viruses and other sorts of malware to propagate, of course. Now: where is it written that computers must be vulnerable to viruses? You can say that no software is perfect and that bugs are inevitable, but that's missing the point: the popular, "modern" computer operating systems are specifically designed in a way that ends up making it very easy to write viruses and other infectious code. We hand the virus writers the exact tools they need, on a silver platter.
Why is it even possible for your email client to run code out of an email message you've just received? How often do you want to do that legitimately? How different would the computing landscape be if that capability simply didn't exist?
Why is it even possible for a website to install code on your machine simply by visiting it? How often do you want to do that legitimately? How different would the computing landscape be if that capability simply didn't exist?
I hope I'm not being Chicken Little, but there's much worse that botherds could do with their botnets than just sending stock scam and penis pill spam. I'm wondering if the only solution won't be for major governments to take major action (perhaps under the guise of national security), and I'm not sure this would be a bad thing. What if it were made a (minor) crime to operate a computer that's vulnerable to being a botnet node? The only question would be, who would pay for the cleanup: the vulnerable machine owners, Microsoft, or taxpayers?
Here's one: the fact that machines are willing to load new code off of memory cards during everyday use, which means that worst-case scenarios like the Princeton virus attack are possible. (When I first came across a reference to the Princeton virus attack, I assumed it was bad science fiction; nobody would be stupid enough to make a machine that was vulnerable to that sort of attack. Wrongola.)
I hate to sound cynical, but this story is not news. There is nothing new here. There have been thousands of different attacks like this, and there will be thousands more.
We (the slashdot community, the IT world, the rest of the world) have to make a choice here:
1. Easy, 1-click executability of untrustworthy active content in emails and the like is a serious bug which must be aggressively stamped out.
2. Having people get pwned like this is an unfortunate fact of life, like disease and bad weather. We may be able to ameliorate it somewhat, but it's not a problem we can ever meaningfully solve, so we should stop complaining, stop treating every new socially-engineered email virus vector as "interesting", and learn to live with it.
Now (being as how I've already admitted I'm in a cynical mood), I can say that I do realize full well that (1) will never happen, and that we've already gone wholeheartedly with option (2).
We've all had this discussion a thousand times before, so to save time, let's just skip it with some of the predictable, defensive responses. Don't say, "but there are good uses for easy, 1-click executability, it's a feature users need and want." All you're really saying is, let's go with option (2). Don't say, "Removing 1-click executability wouldn't help, because stupid users would just download and save the attachments and execute them manually." If you believe that disallowing clickability wouldn't help (wouldn't make the spread of email viruses a thousand times less rampant), all you're really saying is, let's go with option (2).
This is a really basic question and it seems I should know an answer, but it never seems to be discussed: Why are the electronic voting machine companies generally so dead-set against emitting verifiable and auditable paper records? It can't just be cost, because they could and would just pass that on to their customers.
Has anyone else contemplated the absolutely brilliant way MP successfully got the word "cunt" past the BBC censors here?
Absolutely not. It's like selling diseased spinach, and turning around and criticizing the farm you bought it from for having poor sanitation, and/or criticizing the cattle ranch uphill of the farm you bought it from for having poor wastewater management practices.
For some computers it's hardly uncommon. For computers with an emphasis on security, it's very rare.
and something you can't plan for.
No, the lesson of this thread is that, if you're using Windows computers, you have to be acutely aware of, and to plan for, this occurrence.
if I borrow a friend's car, and leave the car door unlocked, it's unacceptable that it gets stolen.
There's little point trading these analogies, but: what if you borrow your friend's car, and you do lock the door, but the car gets stolen, because your friend forgot to tell you to disable the feature his car has that, for convenience, lets anyone roll down the windows from the outside.
Gad. I hadn't heard that. That is ironic. Thanks.
(Kinda gives the lie to those who are pounding the table saying "Apple should have double-checked more carefully!". What can you do when the very last, right before you seal the box, double-check step can itself introduce the problems? What a mess.)
But we don't mean business. If we meant business, we might insist that Microsoft actually disable some of the gaping holes that make the rampant virus problem possible. But instead, we (well, some of us, apparently, but enough to give Microsoft the excuse) insist that any "hardening" of the OS or browser against viruses must not impede our god-given right to email each other easily-runnable executables when we want to, or to perform 1-click installs of browser extensions when we want to. But since there's no way for the OS to distinguish between emailed executables from your buddy, versus email viruses; or between 1-click installable toys that you want, versus spyware; we basically tell Microsoft that we want the virus and malware problems to continue. Microsoft can't fix the problem, even if they want to (not that it's cleasr that they want to), because we've gotten so accustomed to the stupefyingly dangerous "features" which underlie the virus problem that we refuse to wean ourselves from them. (Or so it seems.)
Nothing? Nothing at all? The fact that they invented a fundamentally insecure mechanism called autorun, and then made it enabled by default, played no part whatsoever in this scenario?
Let me guess, the "fb" stands for fanboy, right?
You're missing the point. It's like if a food company sold some food with harmful bacteria in it, and they discovered that the raw ingredients were subtly contaminated when they got them, and the problem was that the field where the raw ingredients were grown was downhill from a cattle ranch, such that the manure from the ranch ran downhill into the field. The food company, while accepting the blame for not doing more testing, might, yes, try to assign part of the blame to the downhill field and/or the uphill cattle ranch.
Or if a mechanic didn't do a good job fixing my car and a critical part wasn't fastened good enough, is the mechanic's fault if I drive over a pothole and shake that part loose and my car stops working?
You're still missing the point. A better analogy here would be that the mechanic fastened the part with a bolt of a specified strength, except that the bolt he used was unwittingly purchased from a corrupt manufacturer who made it to a lower quality standard but fraudulently marked and sold it as if it were high-quality. (And in fact such fraudulently-marked bolts have become a real problem in the mechanical industry.)
Apple's potshot against Microsoft was not to say that Apple's customers ought to be immune from the Windows viruses inadvertently introduced onto Apple's iPods. The potshot was, rather, that it was (in part) Microsoft who allowed the inadvertent introduction in the first place, during what ought to have been a straightforward, automatic, and trouble-free manufacturing and test process.
There haven't been any. That's the point of the analogy. It would be preposterous if a copier fell prey to this kind of failure more. It ought to be preposterous and unacceptable that Windows machines are so vulnerable. Why do we continue to accept it?
And as another poster pointed out, it was evidently during that last, random-sample quality check that the problem was introduced.
You may disagree, but YOU chose to use that print shop. YOU chose to let them ship your product without checking it first. Thus YOU are responsible for the final product.
Absolutely, as indeed Apple is for its.
And where did I suggest that anyone should, or that Apple did?