Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Fatal System Error

samzenpus posted more than 4 years ago | from the read-all-about-it dept.

Security 104

brothke writes "As computing and technology has evolved, so too have the security threats correspondingly evolved. The classic Yankee Doodle virus of 1989 did minimal damage, all while playing a patriotic, albeit monotone song. In 2010, aggressive malware now executes in stealth mode, running in the background with an oblivious end-user, and antivirus software that can’t detect it." Read on for the rest of Ben's review.Cybercrimes have evolved using increasingly sophisticated techniques, and the resulting financial losses are staggering. Many criminal cyber gangs are well organized and resourceful and their ability to recover after new defenses have been deployed make it a challenge for those on the right side of the law.

Fatal System Error: The Hunt for the New Crime Lords Who are Bringing Down the Internet is an excellent book billed as a non-fiction cyber-thriller, and describes the cyber gangs who operate on the Internet. Author Joseph Menn, a cyber security reporter for the Financial Times, takes the reader into the inner operations of today's cyber-criminal, who use the Internet as their personal mint.

While Willie Sutton never really said that the reason he robbed banks is because that's where the money is; the truth is that today's cyber criminal does know where the money is, and its address is the Internet. They use the net as a means to steal and extort money from businesses and individuals.

The book's protagonist is Barrett Lyon, a highly skilled technical engineer and entrepreneur, who founded companies such as Prolexic, BitGravity and 3Crowd. It was at Prolexic where Lyon developed the software used to fend off the DoS attacks that were bringing some of his client's networks to a standstill.

Lyon, along with the other major character in the book, Andy Crocker, a British policeman, were the 1-2 punch that resulted in the prosecution of a Russian cyber criminal. The fact that the prosecution took place via the Russian judicial system was a surprise to everyone. What was unusual about the prosecution is that criminals in Russia and Eastern Europe often operate with the assistance of corrupt political and police forces. Even though the evidence against the defendant was significant, the ability to secure a guilty verdict was far from a sure thing.

Much of the book deals with Lyon and his working relationship with BetCRIS, a company offering online gambling services, including sports betting, online casino games, online bingo and mobile gambling.

BetCRIS is an off-shore company, operating in the safe havens of the Republic of Costa Rica. In 2003, at the height of the DoS attacks, the BetCRIS website was down for nearly a month. With tens of millions of dollars of gambling revenue at stake, BetCRIS management were desperate for a solution, and they reached out to Lyon.

While Lyon created a first-generation solution to stop the early DoS attacks, the book details how the attackers were able to get around those countermeasures, and how it turned into a cat and mouse game of futility, where Lyon would create a fix, only to be beguiled by a new attack.

In the book, Menn writes about many of the major players in the Internet criminal world. He spends a good amount of time writing about the infamous Russian Business Network (RBN). He notes that little true business was carried out via the RBN; rather it was a front for Internet-based criminal activities in Russia.

Menn does get into some technical details, but not so much so to confuse a non-technical reader. He covers topics such as botnets, DoS and DDoS attacks, cyberwarfare, cyber espionage, and the difficulty in prosecuting the perpetrators.

Menn notes that there are many reasons why Russia and in Eastern Europe are ground zero for cybercriminals. The educational institutions there provide a good source of technical training; combined that with the fact that legitimate job opportunities are often quite limited. Add to the fact that political and law enforcement officials often ignore the cyber attacks again the rich capitalists of the US, the difficulty and challenges with jurisdiction, and you have a perfect storm for the creation of a sophisticated cyber criminal element. Finally, there is a long and established culture of corruption in Russia and in Eastern Europe that adds to the problem.

There are two directions that Fatal System Error takes. The main part of the book is Menn's narrative, which takes up 11 of the book's 12 chapters. These 11 chapters take the reader on an enthralling ride into the inner workings of the cyber-criminal world. Fatal System Error is an enjoyable read on par books such as The Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage and Takedown: The Pursuit and Capture of Kevin Mitnick.

Where the book truly stands out is in the final chapter Fixing What's Fixable, and is worth purchasing for that chapter alone. Menn displays his incredibly deep understanding of the underlying issues around computer security and why we are vulnerable. He suggests numerous pragmatic solutions to the crisis, and how to better secure the Internet and networks.

Some of the ideas include significantly greater budgets for information security, more liability against software developers who write insecure code, greater information sharing between the cybercrime agencies in the US and their counterparts in Russia, and more. His on-target analysis of what the US Government can and should do to increase the security of the Internet infrastructure is quite impressive.

Reading the narrative part of the book, many readers will likely be scared to death to connect their computers to the Internet, and to a limited degree, rightfully so. Even with Menn's balanced and compelling account of what transpired, the threat of identity theft and ease of how financial accounts are breached may be too much for some readers many to bear.

If corporate America and the US Government would take Menn's suggestions to heart on how to create a secure Internet infrastructure, many of those security concerns he wrote about could be obviated, and the cyber criminals of Eastern Europe would have to look for different work.

Additional pragmatic ideas that Menn suggests are to legalize and regulate online gambling, more funding to teach safer computing in schools, and for a complete re-engineering of the Internet, in order to build in the necessary security functionality which should have been in there in the first place. As part of the process to re-engineer the Internet, Menn suggests designs that create accountability into the Internet fabric.

Finally, Menn notes that many end-users are not blameless. By not educating themselves on how to securely use the Internet, they are setting themselves up to becoming victims. He writes that anyone that connects a computer to the Internet needs to have significant security vigilance to ensure that they don't make themselves a victim. It is 2010 and far too many people are still oblivious to the security threats. Many still naively believe that someone from Nigeria really does want to make them richer with tens of millions of dollars worth of gold from their deceased uncle.

Menn shows how the underlying infrastructure of the Internet is significantly more vulnerable than most people realize. Finally, what exacerbates the problem is that those doing the attacks are working much quicker than those who are trying to secure it.

One of Menn's criticisms is that the US Government spends a fraction of what it should on securing its critical technology infrastructure. Fatal System Error: The Hunt for the New Crime Lords Who are Bringing Down the Internet is the wake-up call that those in Washington, and those charged with IT need to wake up to. Unfortunately, it is likely those that truly need to read this book, will press the information security snooze button yet again.

Ben Rothke is the author of Computer Security: 20 Things Every Employee Should Know.

You can purchase Fatal System Error: The Hunt for the New Crime Lords Who are Bringing Down the Internet from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

cancel ×

104 comments

Sorry! There are no comments related to the filter you selected.

No Impartial Book Reviews (-1, Flamebait)

Anonymous Coward | more than 4 years ago | (#31955738)

They're all favorable. Fucking Slashvertisements.

Maybe they can suck or straddle Yankee's Doodle.

Re:No Impartial Book Reviews (1, Insightful)

Anonymous Coward | more than 4 years ago | (#31955820)

They're all favorable. Fucking Slashvertisements.

Maybe they can suck or straddle Yankee's Doodle.

What you've just said is one of the most insanely idiotic things I have ever heard. At no point in your rambling, incoherent response were you even close to anything that could be considered a rational thought. Everyone on this site is now dumber for having listened to it. I award you no points, and may God have mercy on your soul.

Re:No Impartial Book Reviews (1)

negRo_slim (636783) | more than 4 years ago | (#31956020)

What you've just said is one of the most insanely idiotic things I have ever heard.

Really? For me it was from the summary when the term 'stealth mode' was used to describe your basic root kit.

Re:No Impartial Book Reviews (1)

Monkeedude1212 (1560403) | more than 4 years ago | (#31956274)

Yeah, you just wait till I break out of stealth mode and lock my s-foils into attack position. You won't be able to send an outgoing HTTP request because your nic card will be overloaded with the spam I'm forcing through your POP setup for Outlook express! Then I'll go into defensive mode and make it so you can't open task manager and stop safe mode from booting properly - thus making it a real hassle to get rid of me.

Re:No Impartial Book Reviews (1)

X0563511 (793323) | more than 4 years ago | (#31958218)

Erm, break out of stealth and lock your s-foils?

None of the stealth-capable craft in canon have s-foils...

Re:No Impartial Book Reviews (0)

Anonymous Coward | more than 4 years ago | (#31958694)

Please mod parent (-1: get a life)

Re:No Impartial Book Reviews (1)

X0563511 (793323) | more than 4 years ago | (#31960258)

I have one. (now)

I just didn't back when I was in to Star Wars.

Unlike some people, my memory span is greater than a few hours long :P

Re:No Impartial Book Reviews (1, Informative)

corruptblitz (1486729) | more than 4 years ago | (#31956036)

I love this quote, and this is a great time to use it. If I had mod points right now, this would be the first time I'd have ever modded up an AC.

Re:No Impartial Book Reviews (1)

boniggy (1753428) | more than 4 years ago | (#31956778)

They're all favorable. Fucking Slashvertisements.

Maybe they can suck or straddle Yankee's Doodle.

What you've just said is one of the most insanely idiotic things I have ever heard. At no point in your rambling, incoherent response were you even close to anything that could be considered a rational thought. Everyone on this site is now dumber for having listened to it. I award you no points, and may God have mercy on your soul.

lol.... Billy Madison ref FTW

Re:No Impartial Book Reviews (0)

Anonymous Coward | more than 4 years ago | (#31957802)

You are a true ANAL FETUS.

Re:No Impartial Book Reviews (4, Informative)

ProdigyPuNk (614140) | more than 4 years ago | (#31955872)

Thus it has been, thus it will always be. (1)

Em Emalb (452530) | more than 4 years ago | (#31955806)

"Finally, what exacerbates the problem is that those doing the attacks are working much quicker than those who are trying to secure it."

More $ to be made in attacking than defending.

Fatal System ERRORS: A.K.A. (-1, Troll)

Anonymous Coward | more than 4 years ago | (#31955862)

MICROSOFT [microsoft.com] :

bbbbbaaaaaaarrrrrrrrfffffffffffffffffffffffffffffffffffffffffffff.

Yours In Novosibirsk,
Nick Haflinger

Uh, no (4, Insightful)

causality (777677) | more than 4 years ago | (#31955876)

Additional pragmatic ideas that Menn suggests are to legalize and regulate online gambling, more funding to teach safer computing in schools, and for a complete re-engineering of the Internet, in order to build in the necessary security functionality which should have been in there in the first place. As part of the process to re-engineer the Internet, Menn suggests designs that create accountability into the Internet fabric.

Great, so they want to redesign the Internet because people don't want to learn how to identify a phishing site and can't understand that giving your account numbers to unverifiable strangers is a bad idea? No thanks. A fool and his money are soon parted and there's not much you're going to change about that. Also, I'm sure that "accountability" is a euphamism for "tracked everywhere you go even more than you are now". Seems to me they are trying to increase protection against petty criminals while drastically reducing protection against overzealous governments that want to censor.

Re:Uh, no (3, Insightful)

caffeinemessiah (918089) | more than 4 years ago | (#31955956)

Great, so they want to redesign the Internet because people don't want to learn how to identify a phishing site and can't understand that giving your account numbers to unverifiable strangers is a bad idea?

Oh please, I think Sony put an end to the delusion that only grandmas and morons are susceptible to phishing or malware. Allow me to give you an example which most people here won't be able to do detect instantaneously: zero-day exploit in Flash + rootkit + trojan. I run a tight ship like the next nerd, but my AV software still flags trojans that somehow make it onto my system from time to time, and those are only the ones that it CAN detect.

And yes, there are zealots who will undoubtedly say things like "Flash is for suckers" or "what do you expect with Windows?", but these people should consider the fact that (a) not everyone lives in caves, and (b) some people just have more important things to worry about, like losing their homes.

Re:Uh, no (0, Flamebait)

Anonymous Coward | more than 4 years ago | (#31956080)

Don't say you have a tight setup when you run Windows, it's impossible.

Re:Uh, no (0)

Anonymous Coward | more than 4 years ago | (#31956418)

Only slightly less impossible than you pulling your head out of your ass.

Re:Uh, no (1, Insightful)

Anonymous Coward | more than 4 years ago | (#31956584)

Don't be ridiculous. That's just ignorant.

Ubuntu users have found nasty viruses coming from screen savers in the OFFICIAL repository. Pretending that unix/linux solutions are inherently safe is about the same as sticking your head in the sand. The only reason they're safer is because people aren't that interested in exploiting the relatively few people who use them.

Like it or not, Windows is the premier operating system in the world, for personal computers. The average user is never going to be a linux nerd - the OS is unstable, and requires too much technical expertise with too little software support. You can deny that, but we all know it's true.

That said, there's absolutely no reason you can't run a secure Windows machine. The real issue is that most users aren't savvy enough to realize that security patches are IMPORTANT, and can't tell the difference between a legit virus scanner and, say, Paladin, or XP Antivirus Pro... Moving all of them to non-windows OS's overnight wouldn't fix that problem... not patching security holes, with everyone running linux, would just mean all of the virus-writing goons start targeting Linux.

Re:Uh, no (1)

Nerdfest (867930) | more than 4 years ago | (#31956842)

I believe the Ubuntu screensaver issue was from the Gnome-Look.org site, not the official repositories. My apologies if you're referring to different virus I have no knowledge of. That said, you are correct, unix and linux are not remotely immune.

Re:Uh, no (3, Informative)

causality (777677) | more than 4 years ago | (#31957162)

I believe the Ubuntu screensaver issue was from the Gnome-Look.org site, not the official repositories. My apologies if you're referring to different virus I have no knowledge of. That said, you are correct, unix and linux are not remotely immune.

The difference is that *nix systems in their various incarnations have had decades of exposure to all sorts of attacks and have evolved accordingly. I would not call them immune, I would call them resistant. There are many good tools available to secure them and, unlike Windows, these tend to be considered standard system utilities not third-party add-ons.

I believe the whole "anti-virus, anti-malware" mentality of removing an infection after a compromise has taken place is fundamentally broken as a security measure. That's because it is not security at all; it is damage control. After your security has failed it might be useful for containment but that's about it. The correct way to respond to a system compromise is to format the drives and reinstall the OS from known good media. Real security systems are designed to prevent compromises, not to remove malware after a compromise has happened and malware has been installed. This is what you find on *nix. It's not just systems and tools, it's a mentality that goes with them.

This is why there tend not to be successful viruses (I use the term loosely to also include worms and such) propagating in the wild on *nix systems. There do exist viruses for *nix systems; they're called proofs-of-concept. Like all self-replicating forms of malware, they have something in common: they must compromise the system (either a user account or root) before they can do anything else. That is what *nix systems are good at preventing. It also helps tremendously that *nix systems tend not to be the "write once, compromise millions of machines" monoculture that you find on Windows.

The last thing I'll say is that average *nix users tend to be more competent and more knowledgable than average Windows users. They're more likely to know a risk when they take one. They're more likely to understand why Flash and other software with a terrible security track record is not trustworthy and should be treated as such. They tend to have habits that reduce their exposure. Overall, they are harder targets and don't represent the low-hanging fruit. None of this amounts to "perfect immunity" of course, but represents a hell of an improvement over the average.

Re:Uh, no (1)

Rockoon (1252108) | more than 4 years ago | (#31961426)

The CERT Advistory [cert.org] history shows us that when the majority of systems on the internet were *nix, there were lots of exploits for *nix systems...

...and that over time, as more and more home users started populating the net with Windows system, the exploits for Windows grew in number...

...and towards the end of the history, when Windows systems vastly outnumbered everything else on the internet, the great majority of exploits were for Windows systems.

Re:Uh, no (1)

causality (777677) | more than 4 years ago | (#31967168)

The CERT Advistory [cert.org] history shows us that when the majority of systems on the internet were *nix, there were lots of exploits for *nix systems... ...and that over time, as more and more home users started populating the net with Windows system, the exploits for Windows grew in number... ...and towards the end of the history, when Windows systems vastly outnumbered everything else on the internet, the great majority of exploits were for Windows systems.

Every time there is a discussion like this, somebody pipes up with what you just said as though it were novel, as though he were mentioning something new that wasn't already well-known (but apparently not well-understood).

You are talking decades ago if you refer to a time when the Internet was mostly Unix systems. That Unix throughout the decades has had many attacks and the security issues that go with them, and has had this amount of time to evolve ways of dealing with them was precisely my point. Read my post again if you missed that. The other part of my point was that this experience has made Unix more resistant and easier to lock down than a modern Windows machine, even though both can be made fairly secure.

To make that more clear, someone who is highly skilled and highly experienced with Windows can secure a Windows server. Someone who is highly skilled and highly experienced with Unix can secure a Unix server. in that sense they're nearly equal. Where they are not equal is the fact that the Unix admin can do it in less time, with standard system utilities, in a more transparent fashion, and often with simpler tools.

Re:Uh, no (2, Interesting)

element-o.p. (939033) | more than 4 years ago | (#31957928)

Pretending that unix/linux solutions are inherently safe is about the same as sticking your head in the sand. The only reason they're safer is because people aren't that interested in exploiting the relatively few people who use them.

Inherently safe? Yeah, you're probably right. Even the best, most secure OS in the world can't protect a truly motivated idiot from himself. Inherently safer , however, is what I would claim for Linux, based upon my own anecdotal experience. It's harder to hose an entire Linux box than an entire Windows box and easier to clean up after the fact (having had to clean up both OS'...YMMV). I knew a Linux admin (and I use the term very loosely) who constantly had his boxes hacked on a regular basis. As a result of his experiences, I took a really long, hard look at my choice of OS to see if it really was that much better. In the end, I realized the guy was just an idiot. He didn't take basic precautions to secure his machines, and he was regularly exploited because of it. The one other Linux box I have ever seen compromised was a public-facing FTP and web server where a user with a weak password had their account compromised and PHPShell was uploaded into their public_html directory, and was used to install a spam relayer. That was the extent of the exploit -- they never gained root privileges, they never got outside of the user's home directory. It took us two hours to detect (because it was hacked one hour before we got to work), and maybe another hour to clean up. Cleaning up Windows infections is a whole other story, and that's why most home users just buy a new PC when they get a virus. They run A/V and if the problem is still there, they throw it out and buy a new PC. That's wasteful and expensive.

Like it or not, Windows is the premier operating system in the world, for personal computers.

For now, yes. But that's changing. Like it or not, Linux is becoming more mainstream. My entire datacenter, except for three servers, is Linux (well, and one FreeBSD-based appliance). *ALL* of the desktops our field personnel use are Linux. You can now buy Linux installed from mainstream OEMs.

The average user is never going to be a linux nerd...

If by "Linux nerd" you mean someone like me, who likes to build and maintain Linux machines, yeah, you're probably right. But the average Windows user is not a "Windows nerd", either. They aren't downloading and installing beta versions of the next Windows OS, they aren't tweaking their system on a daily basis, and they don't rebuild the OS when their computer stops working. The average computer user just wants software that works, regardless of operating system. They don't really know the difference -- or care -- between Windows and Linux, because they only want to surf the Internet, send e-mail and type up the occasional document or spreadsheet.

...the OS is unstable...

Pot...Kettle...Black? I've got Linux servers and routers that have uptimes of over five years (well, I did...a few recent power outages that outlasted the aging UPS's changed that). I have *never* seen a Windows box with an uptime like that. Again, YMMV, and the plural of anecdote != data, etc., etc.

...and requires too much technical expertise with too little software support. You can deny that, but we all know it's true.

Yeah, I'll deny that. Ubuntu has become at least as easy to install as any version of Windows I've ever used. Once it's up and running, it's not any more difficult to use than Windows, and speaking as a sys admin who has to maintain about 70 Linux desktops that sit 500 miles away from my office, I can tell you it's far, far easier to maintain a Linux machine from the CLI across a satellite hop than a Windows machine using rdesktop or VNC. Even for a home user, Ubuntu is about as easy to use as anything Redmond has ever produced. The only thing that makes it "difficult" is that it's different than what most people are used to. If you want proof that a *nix-based OS isn't too difficult, just look at how popular the Android platform has become. [wikipedia.org] Linux-based [android.com] .

That said, there's absolutely no reason you can't run a secure Windows machine.

I have yet to see a single Windows machine that didn't eventually get infected by something.

The real issue is that most users aren't savvy enough to realize that security patches are IMPORTANT, and can't tell the difference between a legit virus scanner and, say, Paladin, or XP Antivirus Pro... Moving all of them to non-windows OS's overnight wouldn't fix that problem... not patching security holes, with everyone running linux, would just mean all of the virus-writing goons start targeting Linux.

Meh. At my previous employer, we had a public facing Windows server running IIS that had A/V and was updated regularly by a very conscientious sys admin who (unlike me) actually liked the OS. However, it still got pwnd eventually. It's really easy to blame the victim, because as long as I believe the people who are victimized are either stupid or deserved it, I can feel nice and cozy...especially when a lot of the victims really *are* stupid and/or deserve it. Unfortunately, a lot of intelligent, conscientious Windows users are victimized, too.

Ultimately, if you prefer Windows and you can keep it secure, more power too you. Personally, however, I don't like it, and I don't like trying to fix the problems my relatives keep having with it. But to each their own. Fortunately, we live in a world where I can use Linux and you can use Windows. As long as your Windows PC isn't filling my inbox with spam because it's running malware you didn't even know was there, that freedom to choose is a good thing.

Re:Uh, no (0, Flamebait)

gestalt_n_pepper (991155) | more than 4 years ago | (#31957124)

Ubuntu only *appears* safe. It has fewer viruses because it's not popular enough to attract virus writers. If Ubuntu ever became a common desktop OS, you'd see common Linux viruses. The issues are ecological, not technical.

Re:Uh, no (1)

thePowerOfGrayskull (905905) | more than 4 years ago | (#31957514)

Don't say you have a tight setup when you run Windows, it's impossible.

Don't say you have a tight setup when that's your attitude. It's impossible.

Re:Uh, no (4, Insightful)

causality (777677) | more than 4 years ago | (#31956250)

Great, so they want to redesign the Internet because people don't want to learn how to identify a phishing site and can't understand that giving your account numbers to unverifiable strangers is a bad idea?

Oh please, I think Sony put an end to the delusion that only grandmas and morons are susceptible to phishing or malware. Allow me to give you an example which most people here won't be able to do detect instantaneously: zero-day exploit in Flash + rootkit + trojan. I run a tight ship like the next nerd, but my AV software still flags trojans that somehow make it onto my system from time to time, and those are only the ones that it CAN detect.

And yes, there are zealots who will undoubtedly say things like "Flash is for suckers" or "what do you expect with Windows?", but these people should consider the fact that (a) not everyone lives in caves, and (b) some people just have more important things to worry about, like losing their homes.

Flash is known insecure software with a terrible track record, and I treat it as such. I obviously can't make others do the same but they're crazy not to. It undoubtedly helps that I am not using Windows (just why that helps is a separate debate). That to me is basic common sense combined with a few minutes of Googling. If that's the standard now for "living in a cave" then the standards these days are quite low. For your item "b" there, it's a lot easier to keep your home when some criminal hasn't drained your bank accounts for you.

It's not about Flash, Windows, living in caves, or having other concerns in life. No, those are all distractions from the actual issue, and you can tell because they're always said in the same irritated emotional tone. It's about two different mentalities. They come up in lots of otherwise unrelated issues including those that are much more political in nature. One mentality wants to look after its own interests and equip itself in order to protect itself. The other believes that is too much of a bother, not their problem, or otherwise is someone else's job. I do not exaggerate in the least when I say that big government of the "we know what's good for you" variety derives most of its existence from the latter because these people want someone to take care of them, almost like children.

So I secure my systems after teaching myself how to do so, and I study good practices. Another person thinks this is too much of a bother and goes with whatever vendor defaults his system came with because to him, security is that vendor's problem only. Guess who gets compromised? Which do you suppose is an easier target? It's not about time or any of those other excuses because you always have time for something you consider important. "I don't have time" is a cute way of saying "this is not a priority". It's about personal responsibility and whether you realize that no one wants to protect your interests quite as much as you do, that all the tools and information you need are out there. Do I have time to be personally responsible and take only the amount of risk I want to take instead of being helplessly dependent on someone else to protect me? Yes, I do have time for that, no caves required.

Re:Uh, no (0)

Anonymous Coward | more than 4 years ago | (#31956996)

That's why I grow my own food, build my own furniture, make my own clothes, build my own computers, and write all my own software. Because you can't trust anyone else to do the Right Thing, and if you want something done right, you've got to do it yourself. Everyone else is just lazy.

Re:Uh, no (0, Offtopic)

hazah (807503) | more than 4 years ago | (#31957370)

Swing and a miss. That's not the point at all.

Re:Uh, no (1)

causality (777677) | more than 4 years ago | (#31958428)

Swing and a miss. That's not the point at all.

That's a typical form of response when someone realizes that you made a solid point that they cannot easily dispute, yet they emotionally don't like the point you have made because it raises questions about their own behavior that they consider uncomfortable. It's basic rationalization of an urge to "shoot the messenger" or in this case, "discredit the messenger". People who do this don't seem to realize how transparent it really is.

Re:Uh, no (1)

Woodmeister (7487) | more than 4 years ago | (#31969774)

I can't believe I'm responding to such an obvious childish troll, but the hell with it, I'll bite this time :) With a car analogy no less!

I don't build my own cars. I don't have the tech, time, and general wherewithal to do so, especially to modern North American standards.

What I _DO_ do however, is learn how to use the features of the car and know how to drive it defensively, as opposed to thinking I should be able to snooze at the wheel.

That's the point the GP was making, making the whooshing sound as it passed you by.

Re:Uh, no (1)

denobug (753200) | more than 4 years ago | (#31958144)

Let's see, running is perfectly secure system vs. running a mission-critial system that has real-world pernonnel, equipment, and environmental damage should it fail? If those two are mutually exclusive then I choose the later, segregate and isolate the network and running locally with no outside connections.

We don't live in a perfect world. Unfortunately there are legacy softwares that the accompanying control hardware is difficult to be upgraded espeically if it is running at all times and it takes signifiant coordination to even do a service turn-around. The last attempt I made it takes significant coordination and countless hours of communications to personnells low and high (all the way up to the top management) to gain approval and support. It is the equivalent of pulling teeth in this environment. It is not easy to be idealistic about it as your situation when human life is at steak. Human life to me IS more important than desktop security if you ask me.

You may find this interesting, I liked your reply (0)

Anonymous Coward | more than 4 years ago | (#31968524)

"It undoubtedly helps that I am not using Windows (just why that helps is a separate debate). That to me is basic common sense combined with a few minutes of Googling." - by causality (777677) on Friday April 23, @11:45AM (#31956250)

Windows can be secured, & here's how, for "bulletproof & bugfree operation", especially over "the long haul" & I've tried to promote that which you speak of, by creating guides for end-user security (which network techs can use on LANS/WANS endpoints such as PC workstation nodes & yes, even servers to an extent), per this guide below:

----

HOW TO SECURE Windows 2000/XP/Server 2003, & even VISTA/Windows 7 (+ make it "fun-to-do" via CIS Tool Guidance & beyond):

http://www.tcmagazine.com/forums/index.php?s=568d95985ad83ef4add94de09f6026d3&showtopic=2662 [tcmagazine.com]

----

Fact is, what you're saying?

It is the "WHY" of why I wrote the VERY FIRST/OLDEST security guide for Windows NT-based OS, which NEOWIN picked up on in 2001 & rated it extremely well too, no less, here -> http://www.neowin.net/news/apk-a-to-z-internet-speedup--security-text [neowin.net] and it had its "dim early beginnings" back in 1997-1998 @ NTCompatible.com as their "Article #1" here http://web.archive.org/web/20020205091023/www.ntcompatible.com/article1.shtml [archive.org] (it started out on how to speed up a Windows NT based PC, & grew into a "SPEED & SECURITY GUIDE" there over the next few years 1998-2002 or so).

(Which however, is now as of late 2007 to present, has become far, Far, FAR MORE EFFECTIVE in its latest iteration shown below, w/ evidences thereof to that effect (solid, uninfested uptime for YEARS & how/why too))

It works, & is based on the concept of what many computer security folks the past few years have been calling "LAYERED SECURITY"...

PROOFS/EXAMPLES OF ITS EFFICACY? Ok, below:

----

http://forums.theplanet.com/index.php?s=80bbbffc22d358de6b01b8450d596746&showtopic=89123&st=60&start=60 [theplanet.com]

"the use of the hosts file has worked for me in many ways. for one it stops ad banners, it helps speed up your computer as well. if you need more proof i am writing to you on a 400 hertz computer and i run with ease. i do not get 200++ viruses and spy ware a month as i use to. now i am lucky if i get 1 or 2 viruses a month. if you want my opinion if you stick to what APK says in his article about securing your computer then you will be safe and should not get any viruses or spy ware, but if you do get hit with viruses and spy ware then it will your own fault. keep up the good fight APK." - Kings Joker, user of my guide @ THE PLANET

AND

http://www.xtremepccentral.com/forums/showthread.php?s=672ebdf47af75a0c5b0d9e7278be305f&t=28430&page=2 [xtremepccentral.com]

"I recently, months ago when you finally got this guide done, had authorization to try this on simple work station for kids. My client, who paid me an ungodly amount of money to do this, has been PROBLEM FREE FOR MONTHS! I haven't even had a follow up call which is unusual." - THRONKA, user of my guide @ XTremePcCentral

AND

"APK, thanks for such a great guide. This would, and should, be an inspiration to such security measures. Also, the pc that has "tweaks": IS STILL GOING! NO PROBLEMS!" - THRONKA, user of my guide @ XTremePcCentral

AND

http://www.xtremepccentral.com/forums/showthread.php?s=672ebdf47af75a0c5b0d9e7278be305f&t=28430&page=3 [xtremepccentral.com]

"Its 2009 - still trouble free! I was told last week by a co worker who does active directory administration, and he said I was doing overkill. I told him yes, but I just eliminated the half life in windows that you usually get. He said good point. So from 2008 till 2009. No speed decreases, its been to a lan party, moved around in a move, and it still NEVER has had the OS reinstalled besides the fact I imaged the drive over in 2008. Great stuff! My client STILL Hasn't called me back in regards to that one machine to get it locked down for the kid. I am glad it worked and I am sure her wallet is appreciated too now that it works. Speaking of which, I need to call her to see if I can get some leads. APK - I will say it again, the guide is FANTASTIC! Its made my PC experience much easier. Sandboxing was great. Getting my host file updated, setting services to system service, rather than system local. (except AVG updater, needed system local)" - THRONKA, user of my guide @ XTremePcCentral

----

Nuff said (not only me just saying it, & especially letting others do my talking for me via quotes...)

From the sound of how you speak though, well, You probably know a good deal of what's in that guide hopefully, but, I'd wager there's a thing or two you may find new or different than you've seen from others like them that will increase your speed &/or security online, noticeably... VERY noticeably, to the good, mind you.

----

"Flash is known insecure software with a terrible track record, and I treat it as such. I obviously can't make others do the same but they're crazy not to." - by causality (777677) on Friday April 23, @11:45AM (#31956250)

Agreed, & though it may provide a few things that even I find amusing or fun? It's NOT worth using on a system where I have much of my life tied up in what's on said system... I just can't take that chance, personally.

----

"If that's the standard now for "living in a cave" then the standards these days are quite low. For your item "b" there, it's a lot easier to keep your home when some criminal hasn't drained your bank accounts for you." - by causality (777677) on Friday April 23, @11:45AM (#31956250)

True!

----

"It's not about Flash, Windows, living in caves, or having other concerns in life. No, those are all distractions from the actual issue, and you can tell because they're always said in the same irritated emotional tone." - by causality (777677) on Friday April 23, @11:45AM (#31956250)

Agreed!!

----

"It's about two different mentalities." - by causality (777677) on Friday April 23, @11:45AM (#31956250)

Yes, it is...!!!

----

"They come up in lots of otherwise unrelated issues including those that are much more political in nature. One mentality wants to look after its own interests and equip itself in order to protect itself." - by causality (777677) on Friday April 23, @11:45AM (#31956250)

Absolutely: LOL, I think by the above, you might say for SURE that I am of this nature you're describing... The classic rhetorical question, of : "Want a job done RIGHT? Do it yourself!" applies...

Man, sometimes though, beforehand, it pays that you learn a few things if need be if what you're about to do isn't a "snap" task, but something complex or expensive to repair if you mess up on it.

After that, then try do it yourself for yourself, & others for pay etc. ...

(LOL - It's all that, or be close by watching the entire time while the job's done if you can't hack that much, & it happens, we end up paying others for services we cant do ourselves, if only for lack of the tools or licenses to do so professionally etc./et al)

----

"The other believes that is too much of a bother, not their problem, or otherwise is someone else's job. I do not exaggerate in the least when I say that big government of the "we know what's good for you" variety derives most of its existence from the latter because these people want someone to take care of them, almost like children. " - by causality (777677) on Friday April 23, @11:45AM (#31956250)

I have people in my life of that nature, because the computer's just a web browser & email tool, nothing more to them. That's cool & all that too, but to folks like those, the PC's just another toaster, or stereo, or microwave (an appliance) or a tv etc./et al... they're just "not into it" is all, which is, again cool (& if you're into them, it's a good thing for you folks like that are around, because think about it - they're the very ones that will end up PAYING YOU man, lol!)

Always some "good in the bad, & ugly"...

Well, also...? Yes, some of those people read guides like mine above & do get "into it" because sooner or later they get to a stage on computers where they just know how to "redo the operating system install" & off they go again, & they no longer fear system reinstalls 45 minutes tops & they know it) so they do not mind trying new things. They get to that stage & try guides like that one above, eventually, & find that they work, per the above.

Again, read it if you haven't, & if you've got something good to add to it, by all means, do (& thanks - good ideas come from everywhere really).

----

"So I secure my systems after teaching myself how to do so, and I study good practices." - by causality (777677) on Friday April 23, @11:45AM (#31956250)

Heh, I am replying to each of your quotes & just ran into this one, & yea... do read that guide of mine above if you haven't. Add to it if you have good ideas for more that could be done added onto it, if you have the time that is... because, again - good ideas come from everywhere.

---

"Another person thinks this is too much of a bother and goes with whatever vendor defaults his system came with because to him, security is that vendor's problem only." - by causality (777677) on Friday April 23, @11:45AM (#31956250)

Pretty much dead on right: I can understand them though, but most of all? Heh: I APPRECIATE THOSE FOLKS!

(So should you, as again, they're the very folks that'll end up being your paycheck @ some point, because face it - IF they were inclined to learn this art & science to a fairly fine/higher degree, especially on all levels?? Hey - lol, they just wouldn't need folks that are "into it" to the level enough of say, imo @ least, a highly skilled network tech or admin & hopefully with some coding skills if necessary on all levels (this is a rarity, but their are enough guys out there that can do all that well too).

----

"Guess who gets compromised?" - by causality (777677) on Friday April 23, @11:45AM (#31956250)

Let's let Bob Dylan say it for us:

Come senators, congressmen
Please heed the call
Don't stand in the doorway
Don't block up the hall
For he that gets hurt
Will be he who has stalled
There's a battle outside ragin'.
It'll soon shake your
(ms) windows
And rattle your
(fire) walls
For the times they are a-changin'.

----

"Which do you suppose is an easier target?" - by causality (777677) on Friday April 23, @11:45AM (#31956250)

LMAO - same as my last paragraph above need apply only, along with another set of B.D.'s lyrics:

Come gather 'round people
Wherever you roam
And admit that the waters
Around you have grown
And accept it that soon
You'll be drenched to the bone.
If your time to you
Is worth savin'
Then you better start swimmin'
Or you'll sink like a stone
For the times they are a-changin'.

----

"It's not about time or any of those other excuses because you always have time for something you consider important. "I don't have time" is a cute way of saying "this is not a priority". It's about personal responsibility and whether you realize that no one wants to protect your interests quite as much as you do, that all the tools and information you need are out there." - by causality (777677) on Friday April 23, @11:45AM (#31956250)

True, per what I post above (automated as much as possible too, rather than manual hacking alone) - it's also about a personal responsibility to others as well, you overlooked that man... the infected? ARE "Digital Plague Carriers", in a way, & spreading any kind of disease is uncool, especially intentionally, but online as well!

This is a very, Very, VERY "Communications-Oriented" art & science, and tool as a result of that fact, & that means "personal contact", which means in the case of disease vectors as my analog, a lot of similarities to real world plagues, & thus, also the same general way of passing them along, via contact of somekind. Keeping yourself "clean"? Is also doing the same for others, if you think about it also.

I also say that, because someone's work & life may be riding on what's going on, on their PC (not just yours), & by spreading via USB sticks or sending emails riddled with malscripted content ontop of oh, A MILLION KNOWN BAD SITES (that I'm aware of via HOSTS file populating here, @ approximately 840,000 unique blocked entries of known bad sites) out there today online? Well... do the math!

Being someone who gets all bugged up & spreads it around? Well, lol, you're NOT helping if you leave yourself running all "botnet enslaved" or plagued by malware/rootkit/virus/trojan/spyware riddled wares you use because the kind of folks you describe do that kind of thing, like mad, & I've seen it, firsthand too many times both professionally &/or casually for friends and being payed to clean them up (takes time, my time, that is not free).

----

"Do I have time to be personally responsible and take only the amount of risk I want to take instead of being helplessly dependent on someone else to protect me? Yes, I do have time for that, no caves required." - by causality (777677) on Friday April 23, @11:45AM (#31956250)

Good deal, you're probably not part of the "Typhoid Mary" crew you discribed imo, above... lol! And, damned straight: &, the "big payola" @ the end of it, is a huge timesavings + an environment that you really had the time to perfect, running "110% bulletproof & bugfree (as well as being able to create a customized to the max, super-tuned & organized PLUS extended (OS Shell, compiler add-ons, you-name-it + more), & no need to "Redo the system every 6 months or less" type crap.

You can't build on what you don't have, & having a setup run, as I have had, for over 15++ or so years of solid bulletproof uptime (not counting reboots for service packs & patches/hotfixes OR trying every Windows NT-based OS they made since NT 3.5 onwards & when I switched to them) that's not "bug infested" all the time (never in that timeframe I just noted)... by having that, you can begin to accomplish things that get YOU paid, educated, skilled, & more (improved in general hopefully), and that's just because you're not "going down" all the time!

(Additionally/Lastly - So, instead of wasting time doing rebuilds/reinstalls, you keep building on a SOLID something, making it, continually better in fact & a pleasure to use (I think of it as hotrodding car, in a way, always have), and improving your lot in this life from a thing like a machine like these in some support role, never hurts either)...

Fact is, I quite often wonder that if the "naysayers" to security being a mandate on PC's too aren't malware makers/botnet masters/malscripted site hosts themselves... they'd be the ONLY people I can see saying "Oh, just use the firewall + antivirus programs you use & that's enough" because judging from the results out there today? LOL, they're obviously NOT enough.

LMAO - some more Bob Dylan for those folks (watching "The Watchmen" here as I write this in fact, & it seems to apply):

Come mothers and fathers
Throughout the land
And don't criticize
What you can't understand
Your sons and your daughters
Are beyond your command
Your old road is
Rapidly agin'.
Please get out of the new one
If you can't lend your hand
For the times they are a-changin'.

I never get "bugged" though, & neither do others that have used my guides for securing Windows (& yes, other OS' too like Linux), funny that, eh? Funniest part is when others try to put the practice of securing a PC down, I always suspect they're up to "no good" themselves is why, personally, & honestly, lol!

APK

P.S.=> Yea - I can tell anyone from 1st hand experience that yes, it's worth doing for 1-2 hours of your time in security hardening systems (any OS, not just Windows, because Linux has its SeLinux bearing distros not near as secured by default as they can be, nor does Apple, & they do have a good guid for it though on their own website for MacOS X too)... it's worth 2 hours MAX of your time, for a return of years of solid uptime into the distance... apk

Re:Uh, no (0)

Anonymous Coward | more than 4 years ago | (#31956412)

If you're picking up rootkits and/or trojans you're not exactly running a "tight ship", buddy. 10 years of heavy Internet browsing without a virus scanner (they don't catch most malware ANYWAY) and I haven't gotten more than a tracking cookie. There's something to be said for maintaining a secure network, and being selective where you go on the Internet.

Re:Uh, no (0)

Anonymous Coward | more than 4 years ago | (#31957230)

Seconded. If you are getting random infections instead of your AV just flagging some crackz or warez you may have downloaded as the trojans that they really are then I would put money down that you already have some infection on your box. You seriously might want to consider doing an offline virus/rootkit check from your favorite live-cd.

Re:Uh, no (1)

thePowerOfGrayskull (905905) | more than 4 years ago | (#31957496)

Oh please, I think Sony put an end to the delusion that only grandmas and morons are susceptible to phishing or malware

You mean the people who had autorun enabled, allowing this to happen?

Allow me to give you an example which most people here won't be able to do detect instantaneously: zero-day exploit in Flash + rootkit + trojan.

Unless, of course, you disable flash by default and only enabled it for sites you can reasonably trust. While this isn't going to be 100% bulletproof, for most people it would stop this as a vector.

but my AV software still flags trojans that somehow make it onto my system from time to time, and those are only the ones that it CAN detect.

THen you're doing it wrong.

Since the computer is just an appliance to most people (and it is), I used to think that people weren't really wrong in not wanting to think about such common sense steps as would let them prevent harm to themselves and others. But... I'm coming to realize that it can't work that way. THe single biggest reason is that in most cases, the impacts of their ignorance reach far beyond themselves. Whether it be exposing personal information of family and friends, or running a payload that converts the machine to a spam factory, there is damage being done to others. Much like "your right to free speech ends at the tip of my nose", your right to use this powerful tool called a "computer" ends when it infringes on my data and/or time.

No, the real problem has a couple of parts. For years, OS manufacturers and/or AV creators have been selling users false security. MS says use AV. AV says use their product. Apple says they're so great you don't need AV. But none of these things actually protect you from your ignorance. Until computer users realize that even though their computer is an appliance, they must know how to use that appliance properly (as with any other appliance). Even a coffee maker can can burn you if you put your hand on the warming plate -- and most people educate themselves to this very early on. Unlike the coffeemaker, failure to learn basic practical security costs not only you, but those around you.

Re:Uh, no (1)

lgw (121541) | more than 4 years ago | (#31960628)

The days when you had to actively do somehting silly, like run an executable, to have malware show up are long gone. Oh, sure, it's possible to disable enough of the functionality of a home computer that you can browse the web safely, but there's not a lot left once you've done so. Yes, this is /. and some people enjoy using Linx, but it's gotten to the point where you can't safely have a PDF viewer.

The only way to browse safely these days is to create a VM just for that purpose, and roll it back when you're done, and even then there may be jailbreak exploits in the wild that haven't come to light yet. Ordinary safe browsing habits are still very helpful, of course, but an attacker no longer requires a stupid user as part of the attack vector, merely an exploit that hasn't made the news yet.

Re:Uh, no (1)

thePowerOfGrayskull (905905) | more than 4 years ago | (#31961954)

I disagree. The steps are not so simple to take anymore, but they're still there.

1. Install your PDF viewer of choice, but disable the web browser integration so that it can never open a PDF without your knowledge.

2. Keep Flash installed, but use a plugin to disable it unless you want to turn it on. Same for Java and Silverlight. The only thing that's a bit silly about this is that it really shouldn't require a plugin.

3. All the usual - don't install things unless you know they're from trusted individuals. Don't download random crap from random places (anything pirated - pirating aside, there's a more-than-even chance that any such download you make is infected).

4. Run windows firewall ( or iptables). (I'd recommend also avoiding the firewalls that charge $60 -- they make a lot of noise about how much they help, but are no more or less effective. )

5. disable HTML and images in email, or at least set it to be only on demand.

You'll notice that all of the above rely on user discretion - they have to pick and choose the things they want to open on their computer. And they need to do it intelligently.

The steps above are not particularly simple, but that's my point. If you (not "you", but you know what I mean...) can't handle steps that aren't simple, you shouldn't be connecting your computer to everyone else in the world - you're putting them at risk with your irresponsible behavior. Someone who falls into this category should stick to their non-jailbroken iPad - which only lets them install safe software.

(For that reason, I think there *is* a great market for tightly locked down and controlled machines -- exactly the type of person who sees the computer as an appliance that they don't need to learn about)

You mentioned VMs - and that's not a bad answer either. Again, if it's beyond someone's capability to handle it, then they shouldn't be online. I really used to be more sympathetic, but I realized that as long as people don't, won't, or can't take responsibility, there's no way to stop them from making the problem worse.

I am also not implying that people who get infected are stupid; I'm sure this occurs across the intelligence spectrum. People are mostly oblivious and have other concerns. But that doesn't provide an excuse.

OS and AV companies, by selling what they sell, are perpetuating it by letting the user think he has nothing to worry about. . Frankly, I don't see an actual solution -- but I do know that absolving the user of his responsibility in the problem is not part of it.

Re:Uh, no (1)

lgw (121541) | more than 4 years ago | (#31962344)

That's a complicted list to follow, even for a geek, and it has this big downside: I want to see PDFs in my broswer, and flash, and javascript, and etc. Your asking me to do a lot of work in order to be penalized.

Proper sandboxing is a much better answer - you still have to worry about jailbreaks, but that's all you have to worry about, unless you really are stupid enough to run random executables. Fortunately, app sandboxing through virtualization is here already, it just needs to mature a bit (whether it will is a different question).

Absolving the user of his responsibility is the best solution to any security problem. Educating the user generally fails, especially if your asking someone to remember somehting more complicted than "wash your hands". Making it really easy to do the right thing, and really painful to do the wrong thing, works really well (there will always be people that disable multiple elaborate safety mechanisms just so they can hurt themselves, but they're rare enough).

Re:Uh, no (0)

Anonymous Coward | more than 4 years ago | (#31955968)

It's actually the kittens and ponies kind of accountability, where there is no central authority to track transactions or identity yet all records are guaranteed accurate and remediation across international jurisdictions is as simple as calling for a pizza.

Re:Uh, no (2, Insightful)

rickb928 (945187) | more than 4 years ago | (#31956222)

"Great, so they want to redesign the Internet because people don't want to learn how to identify a phishing site and can't understand that giving your account numbers to unverifiable strangers is a bad idea?"

Uh, no. With MITM attacks, spoofing raised to a fine art, SSL hijacks of any number of diffeent methods, fake/spoofed/stolen certificates, it can be very, very hard to avoid making a mistake and trusting something you should not.

"No thanks. A fool and his money are soon parted and there's not much you're going to change about that."

Doh.

"Also, I'm sure that "accountability" is a euphamism for "tracked everywhere you go even more than you are now". Seems to me they are trying to increase protection against petty criminals while drastically reducing protection against overzealous governments that want to censor."

Yup. It's a fine line between security and oppression.

Re:Uh, no (2, Insightful)

causality (777677) | more than 4 years ago | (#31956550)

Uh, no. With MITM attacks, spoofing raised to a fine art, SSL hijacks of any number of diffeent methods, fake/spoofed/stolen certificates, it can be very, very hard to avoid making a mistake and trusting something you should not.

I agree that there are sophisticated methods by which a determined adversary concentrating his efforts against a particular target might effect a compromise. However, if all compromises were of this type only, then ID theft would be a nearly unknown crime and botnets unheard-of. That's because an attack this effective and sophisticated does not easily lend itself to automation. Criminals can't compromise tens of thousands of machines or build large lists of account numbers that way. If the level of sophistication you mention were the bare minimum requirement to break the security of the average user, we'd have a global Heaven on Earth in terms of network security.

The vast, vast majority of phishing attacks are quite crude by comparison. They are crude because crude works. People fall for it, all the time. These simpler, less sophisticated attacks are easy to automate and send to thousands of users. When a criminal can send a simpler attack to many thousands, only a small percentage need to get suckered for him to profit immensely. This is where most of the problems are coming from, not dedicated personal efforts against specific targets that require a lot of manpower and expertise to execute. I think the latter is within the realm of statistical noise by comparison.

Yup. It's a fine line between security and oppression.

Security of the "be responsible for your own host and your own network because it's in your interests to prevent their compromise" doesn't lend itself to oppression. Security of the "we will be the central authority who will do everything for you" variety certainly does, not to mention it probably won't work. I think when it comes to security, it's perfectly reasonable to say "if you don't care, neither should we." It really doesn't take much to be a much harder target than the lowest-hanging fruit.

Re:Uh, no (1)

rickb928 (945187) | more than 4 years ago | (#31958046)

I managed a very small ISP for a while on the 90s, and have my own mail and web servers to this day.

The definition of 'lowest-hanging fruit' for all the attackers out there is much broader than you implied. If you have a host accessible via the Internet, you ARE a target. You are being attacked now, this very minute. That you deflect those attacks ahead of the host at firewall, router, or application level doesn't change that. It just makes your logs bigger or smaller.

Your operating system choice makes no difference. They attack everything. You just use different tools and methods depending on what's available and what works.

Re:Uh, no (2, Interesting)

causality (777677) | more than 4 years ago | (#31958598)

I managed a very small ISP for a while on the 90s, and have my own mail and web servers to this day.

The definition of 'lowest-hanging fruit' for all the attackers out there is much broader than you implied. If you have a host accessible via the Internet, you ARE a target. You are being attacked now, this very minute. That you deflect those attacks ahead of the host at firewall, router, or application level doesn't change that. It just makes your logs bigger or smaller.

Your operating system choice makes no difference. They attack everything. You just use different tools and methods depending on what's available and what works.

I know what you mean. I run a very small-scale personal-use SFTP server (no shell access for any account) so I can access some of my files remotely. I use SSHGuard to hinder brute-force attacks and LogSentry to keep abreast of the activity. I constantly receive attacks at all hours of the day. They're quite dumb and have little or no sophistication; most are just trying to guess default passwords for system accounts and such.

I have told many people the same thing you just said. I have explained that if you run any sort of Internet-facing network service, you will get attacked and probably with high frequency. There is no such thing as "so obscure and small-scale that you're under the radar". Expect it and plan for it. The people who are surprised when this happens are the easy targets.

I disagree that my choice of OS makes no difference. I submit that my Gentoo Hardened system with very strict security policies is more difficult to compromise than a Windows installation on the same hardware offering the same SFTP service. When you build everything from source, you can implement protections against buffer overflows and other vulnerabilities that aren't available on a closed-source OS. With a *nix system, the tools I am using are not some black box. I can take them apart, examine them, and really understand how they work before integrating them into my system. The system itself is transparent. If something goes wrong, I can always find out why and can almost always do something about it. If something breaks, it broke for a good reason, it'll stay broken until I fix it, and when I fix it it'll stay fixed. My experience with Windows has been nothing like this.

I am not saying that one cannot run a very secure Windows system. I am saying it's easier to achieve the same level of security with a *nix system. More than that, it's easier to actually understand what you are guarding against and why your measures are effective. I think the importance of that last point is underappreciated. It cannot be properly appreciated in the realm of "run this anti-malware product and hope it takes care of things for you" and the mentality that goes along with it.

Re:Uh, no (1)

rickb928 (945187) | more than 4 years ago | (#31959022)

"I have explained that if you run any sort of Internet-facing network service, you will get attacked and probably with high frequency."

Actually, you might want to be more accurate. They -ARE- being attacked, whether they know it or not. Not knowing it leads easily to not knowing they ahve been compromised. They -ARE- being attacked. Not 'will'.

"When you build everything from source, you can implement protections against buffer overflows and other vulnerabilities that aren't available on a closed-source OS. With a *nix system, the tools I am using are not some black box. I can take them apart, examine them, and really understand how they work before integrating them into my system."

well, not everyone who wants to run an Internet server is a programmer, or has skills in security or OS management. If you follow the lead of many in the community, you will say that if they don't know what they are doing, they shouldn't be doing it. Well, that's close to telling people that it is not safe, so don't. This makes the Internet a different place than the creators intended, but it may in the end be unavoidable.

"I am not saying that one cannot run a very secure Windows system. I am saying it's easier to achieve the same level of security with a *nix system."

Depends on your level of skills. I submit it requires more skills to do so in a Linux environment. Of course, in a windows environment, you can buy a lot of stuff, so it is more expensive. And still not good assurances that you are meeting your goals, despite the price tag.

Re:Uh, no (1)

lgw (121541) | more than 4 years ago | (#31960734)

Well, there are systems obscure enough to remain secure, but certainly not any flavor of Linux or BSD. That guy who wrote the Commodore 64-based web server? He's probably OK, as are people who've written an OS that's substantively their own (this used to be pretty common for old mainframes running some varient of DOS/VSE, but most of that hardware is dead now).

I wonder about Netware. I know that some Three Letter Agencies used to make good use of Netware, which seemed smart to me as all the people who knew enough to write a rootkit could fit in a room (and if there was an incident, they probably would be), but attackers are now so sophisticated in reverse engineering OS components that I doubt there's still safety there.

Re:Uh, no (1)

medcalf (68293) | more than 4 years ago | (#31956260)

Well, yes. When you have a tool that is easily abused, you redesign it to be less easily abused. The Internet is far, far past its optimal expiration life and design use cases, kept alive by the cost of replacing it with something better. The evidence for the Internet being past its optimal life is the prevalence of spam, malware and botnets. While no system can be completely secure, it's possible (via non-deniability if you're feeling big brotherish, or webs of trust if you're feeling libertarian, and packet signing regardless of which way you're feeling) to make the internet far more secure than it is.

Re:Uh, no (1)

Hatta (162192) | more than 4 years ago | (#31956366)

Redesigning the internet so it can be controlled by a powerful few would be much more prone to abuse than the current internet.

Re:Uh, no (1)

TubeSteak (669689) | more than 4 years ago | (#31956706)

Great, so they want to redesign the Internet because people don't want to learn how to identify a phishing site and can't understand that giving your account numbers to unverifiable strangers is a bad idea? ... Seems to me they are trying to increase protection against petty criminals while drastically reducing protection against overzealous governments that want to censor.

You have a very narrow view of what is and isn't a vulnerablility on the internet.

We're not just talking phishing sites and nigerian scammers. Man-in-the-middle attacks, fake certs, Pakistan accidentally nuking YouTube with faulty BGP routing info, etc etc etc. The status quo is almost entirely trust based and in the long run, cannot stand.

Re:Uh, no (1)

causality (777677) | more than 4 years ago | (#31956976)

Great, so they want to redesign the Internet because people don't want to learn how to identify a phishing site and can't understand that giving your account numbers to unverifiable strangers is a bad idea? ... Seems to me they are trying to increase protection against petty criminals while drastically reducing protection against overzealous governments that want to censor.

You have a very narrow view of what is and isn't a vulnerablility on the internet.

We're not just talking phishing sites and nigerian scammers. Man-in-the-middle attacks, fake certs, Pakistan accidentally nuking YouTube with faulty BGP routing info, etc etc etc. The status quo is almost entirely trust based and in the long run, cannot stand.

The nice thing about trust-based situations is that you can choose to regard them as untrustworthy and proceed accordingly. It's a rare day indeed that I hear of a compromise where someone chose to do this.

Re:Uh, no (1)

Creepy (93888) | more than 4 years ago | (#31964286)

of course, we have exactly what he's asking for - it's called IPv6 - built in unique ID, built in security (IPsec), and nobody would ever want to use NAT (at least that's what a KAME developer told me, lol).

Of course, if you're a little paranoid, you'd realize marketing and governments know exactly who uses every box. Not something I like to think about...

Yankee Doodle is not monotonic. (2, Informative)

Anonymous Coward | more than 4 years ago | (#31955928)

There's 3 different tones in the first 4 notes alone, goodness!!!

Re:Yankee Doodle is not monotonic. (1)

6031769 (829845) | more than 4 years ago | (#31956290)

The tune is monotonous, the rendition was monophonic. Not sure which the OP meant.

Re:Yankee Doodle is not monotonic. (0)

Anonymous Coward | more than 4 years ago | (#31959492)

Ii am not a music guru, but strictly speaking, i thought it was monotone also.

i think people use the term as low quality sound.

CYBERWAR (0)

Anonymous Coward | more than 4 years ago | (#31955938)

If we keep on saying there is a CYBERWAR then it will eventually become true, right?

Re:CYBERWAR (1)

PIBM (588930) | more than 4 years ago | (#31955986)

If you say it 3 times in a row while looking in a mirror you will die!!

Re:CYBERWAR (1)

boneclinkz (1284458) | more than 4 years ago | (#31957542)

"This is Fox News, where we put you on the front lines of the CYBERWAR" *cue animated graphic of M1A1 tank driving into a CRT computer monitor, being digitized, then firing a stream of binary code* "On Tuesday night, Facebook was reduced to ruin by saturation DOTBOMBING from foreign sources"

Pedantic, but... (2, Informative)

Anonymous Coward | more than 4 years ago | (#31955996)

monophonic != monotone

Re:Pedantic, but... (2, Insightful)

CannonballHead (842625) | more than 4 years ago | (#31956164)

That's not pedantic, that's basic terminology. MonoTONE would be one TONE. Monophonic would be one "sound" [at a time]. The "monotonic Yankee Doodle" does not even make sense...

Re:Pedantic, but... (1)

russotto (537200) | more than 4 years ago | (#31956278)

That's not pedantic, that's basic terminology. MonoTONE would be one TONE. Monophonic would be one "sound" [at a time]. The "monotonic Yankee Doodle" does not even make sense...

I never heard the original Yankee Doodle virus, but the quality of computer sound used to be quite bad, and "Yankee Doodle" played without pitch changes would still be recognizable from the rhythm.

Re:Pedantic, but... (1)

CannonballHead (842625) | more than 4 years ago | (#31956334)

but the quality of computer sound used to be quite bad, and "Yankee Doodle" played without pitch changes would still be recognizable from the rhythm.

If they actually meant monotone... but it's difficult to believe that in 1989, the computer-generated sound was actually monotonic.

Re:Pedantic, but... (1)

GillyGuthrie (1515855) | more than 4 years ago | (#31960616)

"Yan-kee Doo-dle went to town a - riding on his po -ny" is all eight notes. It would not be distinguishable without pitch changes.

Re:Pedantic, but... (1)

oldhack (1037484) | more than 4 years ago | (#31957988)

Yep, i.e., a single note at a time, no multi-note harmonies.

All you pedants go dig deeper with harmonic frequencies and more acoustics signal processing for your own amusement if you like.

Re:Pedantic, but... (1)

CannonballHead (842625) | more than 4 years ago | (#31961338)

"Multi-note harmonies" = polyphony.

It's not a pedantic. It's the meaning of the word. Flat. Unvarying. Never changes. an unchanging intonation according to Google.

I am pretty sure this would be similar to me saying that Linux == Ubuntu. Most people would not particularly like that here ;)

Re:Pedantic, but... (1)

oldhack (1037484) | more than 4 years ago | (#31961524)

I was agreeing with you, but was suggesting the use of the term "note" instead of "sound" as a better alternative to convey your meaning. The "pedants" I had in mind were those who would go on about how a "note" can contain multiple harmonics, and so forth, unless the note is a sign wave.

Re:Pedantic, but... (1)

CannonballHead (842625) | more than 4 years ago | (#31962590)

Ah, misunderstood. I agree, note would have been better. :)

Finally, some pragmatic solutions (0)

Anonymous Coward | more than 4 years ago | (#31956004)

Like a complete re-engineering of the Internet.

Reviewer confused about Slashdot (4, Insightful)

Areyoukiddingme (1289470) | more than 4 years ago | (#31956178)

Somehow it appears the book reviewer confused Slashdot for the Ladies Home Journal. Was it really necessary to use the "cyber" prefix 47 times? Really? Because we're so impressed when it's a cybergang, instead of just a gang.

One hopes the book isn't that bad...

Frank cyber-walked his cyber-beat. (5, Funny)

khasim (1285) | more than 4 years ago | (#31956346)

He knew there was a cyber-gang out there waiting to commit their next cyber-crime. Frank knew he had to catch them with the cyber-goods. Frank's 45 wouldn't be much help on this cyber-collar. Frank needed something better. Frank needed a cyber-45. Frank knew only one person who could supply him with that, Cyber-Jimmy. The best cyber-fence in the cyber-world. Frank pulled up to the next cyber-phone to give Cyber-Jimmy a cyber-call.

The cyber-phone cyber rang.

Cyber-Smurf here, came the reply.

Re:Frank cyber-walked his cyber-beat. (0)

Anonymous Coward | more than 4 years ago | (#31956862)

Cyber-Smurf cyber-here, cyber-came the cyber-cyber-reply.

FTFY

Re:Frank cyber-walked his cyber-beat. (0)

Anonymous Coward | more than 4 years ago | (#31958306)

I think I just Cyber-Vomited.

Re:Frank cyber-walked his cyber-beat. (1)

sgt scrub (869860) | more than 4 years ago | (#31959454)

I'm riveted! How does it end!

Re:Reviewer confused about Slashdot (0)

Anonymous Coward | more than 4 years ago | (#31957886)

I think the point is to refer to the non-physical world.
but really, is it that much of a deal that he used it cyber too many times?

Re:Reviewer confused about Slashdot (0)

Anonymous Coward | more than 4 years ago | (#31970998)

and your point is??????

Fear and loathing in PC Town (3, Insightful)

gx5000 (863863) | more than 4 years ago | (#31956352)

All i see is another book that uses paranoia and fear to sell....
Hidden code...oooo....Stealth Mode executing..aahhhhh...Root kits ! *GAG*

I know we're talking about the common user here....
But drive a car with no regards and you get the same thing...an accident.
Get a mechanic, a good one that can show you the pratfalls and some fixes.

But if you drive like a fool and visit "those" sites you get what you get.
Get Acronis a re-image your ass every week....you'll be fine.

Re:Fear and loathing in PC Town (0)

Anonymous Coward | more than 4 years ago | (#31956622)

Get Acronis a re-image your ass every week....you'll be fine.

... until the next weeks infection ofcourse.

Getting rid of the virus is one thing, zipping up your jacket so the cold does not again get to you is the next logical step

Or rather, it should be done before stepping into the cold. But alas, as reasonable as that sounds for the physical world, when it comes to the cyberworld most users seem to ignore that kind of common sense.

Re:Fear and loathing in PC Town (1)

Machtyn (759119) | more than 4 years ago | (#31956676)

The problem is, most people don't know they should get themselves a good computer mechanic to show them the ropes. There is no real manual to safe computing or rules of the road for computers. That is, when you get a car, you license yourself and basically prove you know how to use it so as not to endanger yourself and others.

I hate to say it because it will make me sound one-sided, but Microsoft's control on the market is a huge detriment to security. The major computer manufacturers still don't preload Firefox, much less adding ad-block and/or no-script add-ons. The venders still force McAfee and Norton on us without so much as showing there are better alternatives. The A/V vendors still package their A/V product separately from their Internet Security and Computer Defense products. And there is no book or online manual that a user is going to want to read (for too long) that will instruct them that 419 scams are just that, scams, visiting porn sites will likely destroy your computer with malware, and safe banking and purchasing can be accomplished, you just have to verify the sites. There is nothing the average user can get that will show them what to do in case of malfunction.

And those stupid commercials that promote speeding up your computer through an online scan sound just as bad and malicious as the free a/v scan advert that tells you it's found 19 viruses that didn't exist until you had visited the compromised site.

/end rambling rant, sorry.

Re:Fear and loathing in PC Town (1)

gx5000 (863863) | more than 4 years ago | (#31957702)

Rambling ? not at all... Do we need to say it ? Planned absolesense and degradation.... You could make a bullet proof internet client etc... The next thing you know it would come under state control... The Kaotic nature of the web is what keeps it free and dangerous... The lack of education (not tools) is what keeps the revenues up.... If every ISP terminated all nefarious websites and accounts they would lose untold millions... It's the old perfecting the battery story, if you make something that good, you somehow destroy its economic future.... I was just upset about another fear book coming out... You'd do better spending the cost of the book on a tech with Cred showing you how to protect yourself....someone's that's been on the IT plane of existence for over 5 years minimum....

Re:Fear and loathing in PC Town (0)

Anonymous Coward | more than 4 years ago | (#31958068)

where do you see FUD in the book?

seemed pretty pragmatic to me.

Re:Fear and loathing in PC Town (1)

Kaboom13 (235759) | more than 4 years ago | (#31959266)

Not going to "those" sites is not enough anymore. An employee of ours recently got a virus from a pdf exploit from the website for the Professional photographer for a family wedding. Her website got hacked, and without realizing it she was infecting all the customers she sent links to review their photos so they could order copies. I confirmed it myself with a VM. It blew right through a fully updated AV, and reader plug-in was only about 30 days out of date. Telling users not to go to the "bad" places is not an answer. Staying up to date is way more complicated then it should be, and the most frequent offender is Adobe.

aggressive malware (0)

Anonymous Coward | more than 4 years ago | (#31956408)

Is there a statistical breakdown as to Operating System platform the vast majority of this 'aggressive malware' runs on. Do the designers of such systems bare any responsibility for the current malware infestation. What is the dollar value lost to the economy in fraud, and revenue diverted into security solutions?

Missing something? (4, Informative)

American AC in Paris (230456) | more than 4 years ago | (#31956428)

"As computing and technology has evolved, so too have the security threats correspondingly evolved. The classic Yankee Doodle virus of 1989 did minimal damage, all while playing a patriotic, albeit monotone song. In 2010, aggressive malware now executes in stealth mode, running in the background with an oblivious end-user, and antivirus software that can’t detect it."

Yeah, the 1989 Yankee Doodle virus was pretty harmless.

You need to go all the way back to 1988 to find a worm which effectively shut down the Internet.

How one can overlook the Morris Worm in this context is completely beyond me.

Re:Missing something? (1)

gx5000 (863863) | more than 4 years ago | (#31957616)

Well put... Melissa probably reduced him to tears...ugh

Re:Missing something? (1, Funny)

Anonymous Coward | more than 4 years ago | (#31957718)

The Morris worm affected Unix.

Unix is completely safe.

Therefore, the Morris worm never happened.

Re:Missing something? (1)

koiransuklaa (1502579) | more than 4 years ago | (#31966332)

Exactly. Even if you look at just viruses for Microsoft platforms, Dark Avenger came out in 1989, spread wildly and destroyed user data without caution.

the first rule of cyberwarfare (1)

Anonymous Coward | more than 4 years ago | (#31956644)

#1 - The first rule of cyberwarfare is, you do not talk about Microsoft.

#2 - The second rule of cyberwarfare is, you DO NOT talk about Microsoft.

He calls for the end of OSS (3, Interesting)

wiredog (43288) | more than 4 years ago | (#31956946)

more liability against software developers who write insecure code

So now we have to buy expensive insurance before we write OSS code? What about the liability of students?

Re:He calls for the end of OSS (1)

maxwell demon (590494) | more than 4 years ago | (#31957294)

more liability against software developers who write insecure code

So now we have to buy expensive insurance before we write OSS code? What about the liability of students?

If done sensibly, you'd have to buy insurance if you sell software. If you take money for it, you should also take responsibility for it.

Re:He calls for the end of OSS (1)

mswhippingboy (754599) | more than 4 years ago | (#31957562)

I guess the question to ask is - what is more vulnerable to to virus threats, Linux (OSS) or Windows (Closed source)?
Nuff said.

Re:He calls for the end of OSS (0)

Anonymous Coward | more than 4 years ago | (#31958314)

well, perhaps it is a way to get company's to really start thinking about writing secure code.

Good Writing (0)

Anonymous Coward | more than 4 years ago | (#31957036)

"While Willie Sutton never really said that the reason he robbed banks is because that's where the money is; the truth is that today's cyber criminal does know where the money is, and its address is the Internet."

Wow, I hope the writing in the BOOK is this good!

Re:Good Writing (1)

boneclinkz (1284458) | more than 4 years ago | (#31957618)

lol you've got a point I want to be a copyeditor. Willie Sutton knew how to get money from the Internet; that was the address of the place where money could be gotten, instead of by robbing banks because he was a CYBER CRIMINAL.

Cost versus Convenience (0)

Anonymous Coward | more than 4 years ago | (#31957234)

One of Menn's criticisms is that the US Government spends a fraction of what it should on securing its critical technology infrastructure. Fatal System Error: The Hunt for the New Crime Lords Who are Bringing Down the Internet is the wake-up call that those in Washington, and those charged with IT need to wake up to. Unfortunately, it is likely those that truly need to read this book, will press the information security snooze button yet again.

Yep, and as soon as a Pentagon wonk totals up the numbers for 'fixing' the problem that snooze button will be impacted right into the core of the planet.

Gratuitous Princess Bride quote (0)

Anonymous Coward | more than 4 years ago | (#31957410)

"albeit monotone song"

I don't think that word (monotone) means what you think it means.

Yankee Doodle (0)

Anonymous Coward | more than 4 years ago | (#31957532)

Man, only virus I've ever got is Yankee Doodle, but as a grown up I could not find information about the virus because I remembered it as "Yankee Dodole", I finally know the real name!

tl; dr (0)

Anonymous Coward | more than 4 years ago | (#31957588)

There's something rotten in the land of Denmark.

argh (1)

eyeareque (454991) | more than 4 years ago | (#31958174)

Those of you haters out there should actually read the book. You're all quick to judge something you know nothing about.

I've seen the author speak about this book, and I have read the book. It's an excellent book about cybercriminals and a huge takedown of a russian botnet.

I hear he is speaking at Defcon and Blackhat in Vegas. I recommend going to see his talks, they will be one that you don't want to miss.

Re:argh (1, Interesting)

Anonymous Coward | more than 4 years ago | (#31958574)

dude, this is /.

they hate, they judge, and never read the books :)

seriously...look at all fo the comments for this and others books.
the people who comment obsess on tiny little things (for this review, the word 'cyber'),
but they never discuss the merits of the book.

i feel your pain.

shutting it down (1)

sohp (22984) | more than 4 years ago | (#31958874)

Who needs malware when we have McAfee anti-virus signature file updates?

Flying Under the Radar (2, Interesting)

nuckfuts (690967) | more than 4 years ago | (#31958902)

malware now executes in stealth mode, running in the background with an oblivious end-user

I've long need puzzled by malware that doesn't do this. Many trojans I've cleaned from people's computers download other pieces of malware. I once gave a demonstration of "drive-by" infection where merely viewing a malicious web page on an unpatched system resulted in nearly 20 new processes being spawned in the background. Impressive, in a way, but exceedingly obvious. Even clueless users can't help but notice that something is wrong, and IT gets called in to clean it.

Re:Flying Under the Radar (0)

Anonymous Coward | more than 4 years ago | (#31971038)

how come not a single comment talks about the book? its contents? etc.

it is all about the word 'cyber' and the intro about 'malware'.

come on people!

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>