Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

The Desktop Security Battle May Be Lost

kdawson posted more than 4 years ago | from the deploy-the-tinfoil-hats dept.

Security 389

Trailrunner7 writes in with a Threatpost.com article that begins: "For years, security experts, analysts and even users have been lamenting the state of desktop security. Viruses, spam, Trojans and rootkits have added up to create an ugly picture. But, the good news is that the desktop security battle may be over. The less-than-good news, however, is that we may have lost it. Jeremiah Grossman, CTO of WhiteHat Security, said Thursday that many organizations, particularly in the financial services industry, have gotten to the point of assuming that their customers' desktops are compromised. And moving forward from that assumption, things don't get much prettier." It goes on to speculate about home routers being targeted and infected.

cancel ×

389 comments

Sorry! There are no comments related to the filter you selected.

Though the Times They May Look Grim ... (5, Funny)

eldavojohn (898314) | more than 4 years ago | (#32128598)

The Desktop Security Battle May Be Lost

No, you must have hope! We just need to hold them off a little longer until Gandalf the White Hat shows up on Shadowfax Machine.

Re:Though the Times They May Look Grim ... (1)

Monkeedude1212 (1560403) | more than 4 years ago | (#32128684)

FOR x64!!!

Re:Though the Times They May Look Grim ... (1)

jgagnon (1663075) | more than 4 years ago | (#32128800)

The C64 was more secure... :p

Re:Though the Times They May Look Grim ... (5, Interesting)

Z00L00K (682162) | more than 4 years ago | (#32128804)

The major problem we actually are suffering from is that the world depends way too much on a single environment. And that environment is a kludge.

I'm not saying that Linux is much better - just somewhat better since it isn't as integrated as Windows.

As for losing the battle - this is a battle you only lose when you give up. As long as you persist you won't lose. You may get some beating now and then, but that's not a big issue since you can come back.

Re:Though the Times They May Look Grim ... (1)

IshmaelDS (981095) | more than 4 years ago | (#32128910)

I disagree I think the major problem we are suffering is that we aren't securing the machines from the get go. The environment is a kludge, but if you don't let everyone run as an administrator all the time, teach them not to click yes blindly to every pop-up box without reading it, teach them not to fall for every phishing attempt under the sun then you don't have to worry nearly so much. Not saying it would be impossible to crack a system, just that you don't have to worry nearly as much. I run a network and am both network and systems admin and I haven't had a virus or spyware incident (at least that i know of ;) hehe) in 4 years, the one I did have at that time was contained to only one machine and really wasn't much of an incident. But I run a tight ship security wise, though most of the users don't know it.

Re:Though the Times They May Look Grim ... (5, Insightful)

Anonymous Coward | more than 4 years ago | (#32129074)

teach them not to click yes blindly to every pop-up box without reading it, teach them not to fall for every phishing attempt under the sun

You cannot teach them something they do not want to learn. Users don't want to think about the pop-up box they just want it out of the way. Unnecessary dialogs have trained them to just click Yes or OK and get on with what they were doing. Horridly lengthy and unreadable EULA's have trained them to just scroll down and click Accept. Installers with too many pages have trained them to just keep clicking next till it says it's installed (something those insidious toolbars that are checked on by default take full advantage of).

Re:Though the Times They May Look Grim ... (3, Funny)

angelwolf71885 (1181671) | more than 4 years ago | (#32129270)

Ron White once said " you cant fix stupid "

Re:Though the Times They May Look Grim ... (5, Informative)

jemtallon (1125407) | more than 4 years ago | (#32128954)

If you'd have read the article, you'd know that home networks are the new frontier for hackers and a big reason why security experts are giving up the desktop fight to focus on the network instead. From the article: "... it won’t matter if PCs are disinfected, swapped out, or replaced with iPads, the bad guys are still control because they own the network below." So the old Blame Windows standard won't work in this case.

Demotivators (1)

mevets (322601) | more than 4 years ago | (#32129302)

Quitters never win.
Winners never quit.
But those who never win and never quit
are idiots.
-- despair.com

Re:Though the Times They May Look Grim ... (4, Interesting)

Monkeedude1212 (1560403) | more than 4 years ago | (#32129554)

It's true. And I've actuall recieved one of these attacks on Routers before, and it ain't pretty.

So I live with 2 room mates. One of them (we'll call him A) doesn't know a lot about computers besides they play awesome video games. The other (We'll call him B) one loves computers and how he can Torrent "1080p" movies before the blu ray even comes out. He knows enough about computers to set the basic stuff up himself, and I'm sure the average user would call him good with computers, but you or I would be able to tell right away that he's just above average.

So B downloads a movie. I believe it was Sherlock Holmes. Anyways, he moves it to this external Hard Drive we have laying around, then tries it on his desktop in the living room to see if it works. Video plays, but then he starts getting pop ups. "Dang" he tells himself, tries using the BitDefender online scanner as he leaves for work. A comes home from work a couple hours later, moves the External Hard Drive to the Xbox360, notices Holmes is on there, and tries playing it. It doesn't work. So he moves it over to his desktop in his room, tries it, Hey it plays! But now he's got pop ups as well.

So I come home, and I decide I want to put on a movie. I move the external hard drive back to the 360 because its got Office Space on it, and watching that movie after a hard days work makes me feel better about not stealing from my company. Anyways, I notice Sherlock Holmes is on it, but I mean we saw it in theatres like a couple months ago so no reason to watch it again just yet. I open up B's desktop to surf the net while watching the movie. Pop ups. Well we'll clean that later. Dealt with enough stuff at work, not in the mood. So I bring out my laptop. That's odd, somethings hijacking my browser. So I boot into safe mode and run a scan on it. Nothing. That annoys the hell out of me. So grab the screw driver, rip out the hard drive, slave it, scan it from my desk top, still nothing. Well what the frack? I put everything back to normal, boot it up, look at the settings. That doesn't look like the regular DNS... though its hard to tell. Same DNS on the desktop. Try browsing the desktop, also getting highjacked.

Okay, so I log into the gateway. Telus gave us this really crappy DSL/Wireless router. I never changed the admin password (admin/telus) on it, but I put a wireless password on it, my initial premise being that should Telus need to remote in for any other issue there wouldn't be an issue, and the only way someone would get into our network was either breaking PSA2/AES or by plugging in locally. In hindsight that was a bit of a mistake. Anyways, so I look at the router and it's DNS was changed from automatically retrieve to the bad DNS.

Alright. So I change the admin password and change the DNS back, and unplug everyone but me from the router. Don't want the infected machines pushing out the DNS again. I spend the rest of the evening slaving the 2 infected Desktops and cleaning them off, and even checking the 360 hard drive (cause you never know if they've somehow managed to write a virus for that, but luckily it didn't get infected). Then putting everything back to normal. A and B were a little pissed because they were without internet, and without their computers for a little while (which just made me upset because I didn't start the problem, but I had to fix it).

After everything was working and we were done yelling at each other, we all played a game Age of Empires 2, co-operatively against computers. It's like Make up sex for nerds. But to be honest, I still get a little tired of having to deal with that kind of stuff. We're all moving out in July.

Re:Though the Times They May Look Grim ... (2, Funny)

digitalmonkey2k1 (521301) | more than 4 years ago | (#32128882)

They may take our identities, but they'll never take OUR LOLCATS!!!!

Re:Though the Times They May Look Grim ... (1)

llvllatrix (839969) | more than 4 years ago | (#32128952)

...and my hax!

Re:Though the Times They May Look Grim ... (0)

Anonymous Coward | more than 4 years ago | (#32129358)

No the 84th is going to pull out because it's too hot.
You should just lay down arms.

Castles made of sand... (0)

Anonymous Coward | more than 4 years ago | (#32128694)

... fall into the sea, eventually.

And this is why... (-1, Troll)

Anonymous Coward | more than 4 years ago | (#32128728)

customers' desktops need to use GNU/Linux.

Re:And this is why... (3, Funny)

Anonymous Coward | more than 4 years ago | (#32128758)

Then they could just assume that the customer's computer is incompatible.

Re:And this is why... (2, Funny)

mweather (1089505) | more than 4 years ago | (#32128830)

Your bank uses activex?

Re:And this is why... (5, Insightful)

Hizonner (38491) | more than 4 years ago | (#32128986)

The fundamental security model of Linux is no better than that of Windows. The main reason Windows gets nailed is that it's more profitable to write malware for Windows than for anything else. If Linux had the market share of Windows, it would have as much, or nearly as much, malware.

In either Linux or Windows, being able to run any code at all gives you essentially complete access to the user's data, plus almost unlimited access to system resources, plus the ability to talk to the network. Who cares if you're not running as root if everything interesting is owned by the user's account?

There are ways to make systems more secure, starting with strong containment. How strong? Strong enough that your program can't even express the desire to, say, open a file that the user hasn't given it a capability for. Strong enough that the user has to jump through hoops to give certain programs access to certain data. Especially programs with network access... which need to be only the programs that actually need it. Strong enough to subdivide lots of functions that people are used to putting together in the same process. Strong enough that you can forget about most of the APIs you're used to coding with. And, if you're going to run apps out on the network, that whole system has to extend out into the network as well.

On top of that, people ought to be using tools that make it a lot harder to express common security bugs, and that help you to notice when you've created others.

If this is to be fixed, users and programmers are going to have to change the ways they do things. I'm not super optimistic.

Linux helps not at all. Even OpenBSD wouldn't help much.

Re:And this is why... (2, Insightful)

poetmatt (793785) | more than 4 years ago | (#32129080)

you are quite a jokester, sir.

The differences in how to gain administrator access do affect up front security requirements.

It's not about profit, it's that windows gives people administrator by default (and you can still enable it in Windows 7).

iexplore.exe is asking for administrator access. grant forever/don't ask again? Way to go, giving viruses admin access. It happens all the time.

The rest of the security is no different in most scenarios whether windows or linux. However, on this front, UAC doesn't do squat (especially when you can get around UAC).

Re:And this is why... (1, Insightful)

Anonymous Coward | more than 4 years ago | (#32129242)

iexplore.exe never asks for admin access. The installer for IE updates does, as it should, but iexplore.exe never does (unless a plugin does, I suppose -- or if you're blaming an application you downloaded on IE on iexplore.exe even though it's a different process).

Re:And this is why... (2, Insightful)

toadlife (301863) | more than 4 years ago | (#32129346)

malware writers don't care one bit about administrator/root access. All they want is computers' resources.

And on a side note, UAC is light years ahead of it's Linux equivalent, gksudo, which can be easily faked by a rogue processes and in combination with cached credentials (see:Ubuntu) will give up root permissions to any rogue process that wants them.

Re:And this is why... (3, Insightful)

Hizonner (38491) | more than 4 years ago | (#32129430)

So, suppose I'm the business end of a botnet.

What does administrator access give me?

Sure, I'll take if I can get it, because it might come in handy. But how important is it to me, really?

If I want to steal the user's credit card number, it's right there in a Quicken file. No admin access required.

If I want the user's contact list, it's in Outlook or whatever.

If I want to steal the user's passwords, no problem, I can still hook the keyboard one way or another, or just grab them from the browser's password store.

I may not be able to rewrite the browser, but I can debug the browser process and get the same effect.

If I want to run the webcam, no privileges are required.

If I want to send spam, I can make a TCP connection without administrator access.

OK, I may have trouble hiding myself as well as I'd like from privileged anti-malware programs, or make it monstrously hard for them to remove me. There are a few things I can't change on the local system. I probably can't hook file system or network access, and if I can it's probably for only one user. There are a few not-that-important services I can't talk to. I can't mess with the lower layers of the network very much. I can't create another user. It would be nice to be able to do those things. But it's not like I'm seriously handicapped without administrator access. And, since I also have access to run privileged programs or send requests to privileged services, I have a huge surface available to attack with 'sploits if I do want administrator access.

Same on Linux. Yeah, there are differences, but they're down in the noise; they aren't the sorts of qualitative things that would really matter in terms of making the desktop trustworthy.

Re:And this is why... (1)

Neoprofin (871029) | more than 4 years ago | (#32129474)

And if everyone in the world used Linux how long do you think it would be before people were sudoing Banzai Buddy?

There's no security that can't be defeated by the end user. If they have the ability to access administrator at all then they have the power to negate everyone's hard work.

Re:And this is why... (3, Insightful)

ffreeloader (1105115) | more than 4 years ago | (#32129500)

You're wrong in saying administrator access is the basic difference between Linux and Windows. The most basic difference is in default file permissions. Windows ties read and execute together by default. You put an executable on a Windows system and it's immediately executable by anyone. That is not true with Linux. Executables are only executable by default if a a system tool, such as apt-get, yum, etc... is used to install them. Otherwise, the user himself must add the execute permission to the file.

This is a huge barrier to malware spreading like many instances of Windows malware has spread. Remember all those instances of one person opening an infected email and everyone in the office being infected as a result? Can't happen on Linux due to file permissions. That executable can't execute unless/until the user gives it execute permission.

Test it for yourself. Write a script on a Linux machine and try to execute it without adding execute permissions. You can't do it. Try that on Windows and it works. No changes necessary. That's a huge difference in security.

Re:And this is why... (1)

fuzzyfuzzyfungus (1223518) | more than 4 years ago | (#32129244)

While your suggestion is architecturally sound, the problem is that it is either A) A gigantic pain in the ass. or B) Gives enormous power to the vendor, that they will almost certainly exploit.

In the case of Linux, "A" largely applies. A properly configured SELinux setup will give you most of what you are asking for; but those are enough of a pain to set up that very few people have them.

Re:And this is why... (-1, Flamebait)

Anonymous Coward | more than 4 years ago | (#32129416)

Your argument is lame and shows your bias and ignorance as a win-fanboi

There are ways to make systems more secure, starting with strong containment. How strong? Strong enough that your program can't even express the desire to, say, open a file that the user hasn't given it a capability for. Strong enough that the user has to jump through hoops to give certain programs access to certain data.

You have just described Vista to a tee. Look what a piece of shit that thing is and no more secure than a screen door on a bank vault.

To bring Linux and OpenBSD into your argument shows just how stupid and ill informed you are.
Please pull you head from your ass before joining discussions on computer security when all you know is windoz
Better yet, keep quite until you learn more on the subject at hand before posting stupid shit

Your post should modded Troll

Except you still miss the point (4, Insightful)

Moraelin (679338) | more than 4 years ago | (#32129196)

customers' desktops need to use GNU/Linux.

I know that it's a sacred tradition to regurgitate fanboy oneliners without thinking, but in this case

1. it was even in the summary that by now even home routers are targeted by the asshats. I fail to see how a hardened Linux PC helps there.

2. Actually, it seems to me like most zombie PCs nowadays don't come from port overflow attacks any more, but because of users clicking on spam links, re-entering their bank password on some www.i-pwn-you.ru site (fictive address for example sake) because the email told them to, and installing crap.

I'm not sure how Linux would help there at all. You do know that you can download and install rootkits for Linux too, right? In fact even the term rootkit comes from the Unix world, not from Windows. What's to keep an asshat from making their rootkit masquerade as a cutesy Linux screensaver instead of a cutesy Windows screeensaver?

If user clue remains a constant, meet the Clueless family, a white suburban family whose only knowledge of computers is that the nice guy at the shop said they need the most expensive one: you'll still have Joe Clueless opening executables he received in spam mails. And his wife Jane Clueless confirming her Paypal and eBay password the fourth time this week alone, and none of them was on paypal.com or ebay.com. And downloading and installing some piece of spyware masquerading as some cutesy utility or casual game. And their son, Timmy Clueless installing what some dodgy site told him is some hack to see through walls in Counter-Strike. And of course it needs to be installed as root, in fact as a kernel module. So punkbuster (or equivalent) can't detect it, you know? *nudge* *nudge* *wink* *wink* Know what I mean, eh?

Just as they're not deterred by Windows popping up a big fat windows asking them if they really want to install stuff, they won't be deterred by whatever hoops your favourite Linux distro makes them jump through either. If they have to su -, they'll su -.

End result: they're still pwned.

Re:Except you still miss the point (2, Informative)

causality (777677) | more than 4 years ago | (#32129338)

1. it was even in the summary that by now even home routers are targeted by the asshats. I fail to see how a hardened Linux PC helps there.

A hardened Linux PC makes a fine router. Older hardware will do the job just fine too, so nothing expensive or exotic is required.

Re:Except you still miss the point (1)

Real1tyCzech (997498) | more than 4 years ago | (#32129490)

The amusing thing here....is that most routers run Linux.

Re:Except you still miss the point (1)

Znork (31774) | more than 4 years ago | (#32129496)

What's to keep an asshat from making their rootkit masquerade as a cutesy Linux screensaver instead of a cutesy Windows screeensaver?

Mainly the fact that they need to get their cutesy screen-saver into a distribution repo to actually gain a significant level of deployment. At least most Linux users I know add very little software that isn't included in their main repo or one of very few specific extras. Anything beyond that gets treated with a certain level of suspicion.

Excellent (2, Funny)

hodet (620484) | more than 4 years ago | (#32128748)

That was a great piece of investigative journalism. Banks have accepted that all their customers are infected and gawd knows that every last home router is insecure. So not only are you infected but you don't even know it. Run for the hills.

The most amazing part... (2, Insightful)

RingDev (879105) | more than 4 years ago | (#32128828)

of this alarmist drivel is that there are only 2 adds on the poster's page.

-Rick

Re:The most amazing part... (1)

raddan (519638) | more than 4 years ago | (#32129558)

I know. For all the hype, you'd think you'd at least get some multiplication action in there, or heaven forbid, a divide.

Re:Excellent (4, Interesting)

memnock (466995) | more than 4 years ago | (#32128908)

if banks "know" that the customers are infected, why do they blithely sell online access and transactions as a benefit, without any cautions about security?

perhaps the banks have realized this could be a new way for them to make money: they could start making and selling some kind of secured, dedicated routers or something, for those customers that have to take care of their banking online. no router, no access.

Re:Excellent (1)

Bigbutt (65939) | more than 4 years ago | (#32129272)

Wasn't there a recent Slashdot article where some banks are now providing bootable media for use when accessing the bank's website?

Won't work with an iPad though :)

[John]

Actually, it seems reasonable to me (3, Insightful)

Moraelin (679338) | more than 4 years ago | (#32129636)

Actually, it seems like a reasonable assumption to me. Always code or design assuming the worst. Before you decide what hoops you make the user jump through to get his money online, assume that he's pwned in every imaginable way, that his firewall is mis-configured to be a digital goatse ;) and probably he's not even who he says he is. And he's probably trying to break your system too. Because sooner or later you'll have to deal with just that. Now what can you do to mitigate such a situation?

Basically you can divide people and design philosophies into a spectrum between:

- optimistic: they expect the best possible outcome. They just know it'll be all right. The world is nice, the users do exactly the click sequence they've been told to, and his functions only receive exactly the right input.

- pessimistic: they expect that Murphy's Law is actually a law of the universe, and if something could possibly go wrong without violating the laws of physics, it will. Actually the real serious pessimists don't even exclude the laws of physics going wrong. They tend to have the speed of light as a variable ;) They also tend to bring a sweater or two along when going to the beach in Florida in August. And they just know that some bastard out there will feed their program the wrong input, or will have his password stolen by a keylogger and then sue when he finds his account empty. They tend to rarely be disappointed in those expectations, actually.

Personally I like my programs and processes designed by the latter. And it seems to me like this is what those banks are doing. They're for a change starting from the worst possible scenario as an assumption. Nothing wrong with that.

It was never a battle..... (1)

irreverant (1544263) | more than 4 years ago | (#32128750)

Does any one remember WinNuke and 95, 98.a, since then it's been a joyride, cDc with back orifice. There will always be methodologies to penetrate microcomputers as long as an incentive exists. The only way to win this 'battle' is to remove the user from the equation; We all know this won't be happening... so live ignorantly and make do with your computer in some state of fault. Happy surfing!

Re:It was never a battle..... (1)

jgagnon (1663075) | more than 4 years ago | (#32128856)

Kill them all and let waste management sort it out?

Re:It was never a battle..... (0)

Anonymous Coward | more than 4 years ago | (#32129034)

Soylent green is users!

It's a matter of convenience (3, Insightful)

molnarcs (675885) | more than 4 years ago | (#32129062)

It's simply a matter of convenience. There are several ways to make online banking completely secure. For instance, the bank could distribute Live CDs/USBs with a bare linux system and a browser. You want online banking? Wait for a minute or two, then login through the browser presented. Problem is, no one would put up with such inconvenience. WE WANT ACCESS RIGHT NOW!!!! Waiting for two minutes is unthinkable... Ultimately, you're right - as long as there are users, there will always be security problems, although the solution is 2 minutes away. We are just so fucking impatient :)

Re:It's a matter of convenience (1)

Bigbutt (65939) | more than 4 years ago | (#32129280)

Hey, where do I put this USB key or Live CD in my iPad? :)

[John]

Re:It's a matter of convenience (1)

Steauengeglase (512315) | more than 4 years ago | (#32129566)

Oh, you know where.

Re:It's a matter of convenience (0, Troll)

Amouth (879122) | more than 4 years ago | (#32129418)

so your saying a Live CD going out over a router to the net is "completely secure" if i have control over that router???

if i control the router.. i control your connection - you might think you are connecting to the bank.. but your not.. your connecting to me..

owning the router/switch is the highest form of MIM for network data..

Re:It's a matter of convenience (0)

Anonymous Coward | more than 4 years ago | (#32129458)

How does that help if the underlying network infrastructure is totally compromised? To the point where it is running MITM and other related attacks?

Re:It was never a battle..... (0)

Anonymous Coward | more than 4 years ago | (#32129508)

cDc with back orifice

I used to scan my ISP's local subnet and find about 10-30% of the hosts infected with BO. In the root of their "C:\" drives people would leave blank files as a sort of signature (foo was here!.txt). The meanest thing I ever did was change the shell to progman so that when they would next reboot their machine would load the old Windows 3.11 shell instead of explorer.

Does it matter? (1, Insightful)

Anonymous Coward | more than 4 years ago | (#32128770)

They'll just use it as an excuse to sell 'identity theft' insurance and dump more
liability onto the customer. Their security isn't much better. PCI specs aren't
nearly good enough and evven if it was it wouldn't matter considering the way they
handle data security. Using regular post to send CDs of customer records unencrypted,
laptops lost and data breaches. Chip and Pin is a joke. Contactless transactions are worse.

They really dont care as long as it doesn't cost them much and they can dump most of the liability onto us.

The Security Battle is Lost... (-1)

Anonymous Coward | more than 4 years ago | (#32128796)

...unless you buy my new product!

Don't worry! (4, Funny)

eln (21727) | more than 4 years ago | (#32128798)

The Year of Linux on the Desktop(tm) is just around the corner!

Re:Don't worry! (2, Informative)

landoltjp (676315) | more than 4 years ago | (#32128994)

As much as I'm a fan, t'wont help, according to TFA:

Botnets are starting to target and infect routers and DSL modems. Scary, and a possible trend. [...] it won’t matter if PCs are disinfected, swapped out, or replaced with iPads, the bad guys are still control because they own the network below

Re:Don't worry! (1)

Skarecrow77 (1714214) | more than 4 years ago | (#32129212)

Too busy to read TFA... but how the hell are they infecting firmware? That seems like a huge oversight by Linksys, Netgear, etc.

It's like they're parking a tank in front of your house to defend you from the bad guys, and then leaving the keys to the tank in the ignition.

Wait, do tanks use keys?

Wait pt 2, did I just make a car analogy?

Re:Don't worry! (3, Interesting)

edremy (36408) | more than 4 years ago | (#32129274)

Wait, do tanks use keys?

Actual serious answer: they don't. Too many chances to lose them. You lock up a tank by locking all the hatches internally but one, then putting a exterior padlock on that.

Re:Don't worry! (1)

Cruise_WD (410599) | more than 4 years ago | (#32129442)

That's okay, in another decade "The Year of Linux on the Router" will be just around the corner :P

In all seriousness, however, while there's nothing that can be done about the user making bad decisions, the OS can do a fair bit to mitigate the effect of those decisions.

Not running as a privileged user, having space, cpu and network caps in place, etc. are a start.

There always will be a trade-off between letting the user do something easily and not letting a program do something too easily. With decent UI design, education and OS support, however, that ratio can be improved.

Security is as futile as DRM. Of course we lost. (0)

maillemaker (924053) | more than 4 years ago | (#32128802)

Of course we lost it.

If it is a truism that DRM is futile because it will always be defeated, then it is also a truism that Security is futile because it will always be defeated.

There are things you can do to "keep the honest people honest", but there is little you can do against those who are determined to do bad things.

Re:Security is as futile as DRM. Of course we lost (1)

jgagnon (1663075) | more than 4 years ago | (#32128916)

there is little you can do against those who are determined to do bad things.

Or against those that are determined to do stupid things, regardless of warnings and education on the dangers.

Re:Security is as futile as DRM. Of course we lost (1)

causality (777677) | more than 4 years ago | (#32129560)

there is little you can do against those who are determined to do bad things.

Or against those that are determined to do stupid things, regardless of warnings and education on the dangers.

I've always thought it would be a great idea for the state law enforcement agencies to look for e-mail addresses the same way spammers do. Then send fake phishing e-mails to those addresses. If a user responds favorably or goes to the phishing site, apply a court order requiring that the user is denied Internet access for six months. The justification is that their stupidity creates botnets and enables spam that harms many other people and reduces the overall quality of the entire network; therefore they should be held responsible for it.

While I don't normally want the government to find new ways to get involved in things, this one isn't so bad because it requires the active participation of the user. If your e-mail address is already out there, one more phishing attempt is a drop in the bucket. Other than one additional e-mail, anyone with sense enough not to respond to phishers would not be affected by this.

Re:Security is as futile as DRM. Of course we lost (3, Insightful)

SanityInAnarchy (655584) | more than 4 years ago | (#32128938)

If it is a truism that DRM is futile because it will always be defeated, then it is also a truism that Security is futile because it will always be defeated.

What? No.

DRM can always be defeated because of its design. If I lend you the key to my apartment so you can go in and borrow some sugar or something, there's nothing I can do to stop you from cleaning out my apartment and skipping town. But to claim all locks are futile because of that is just retarded.

DRM can always be defeated because the "attacker" is exactly the same as the user, and you're already giving them everything they need. That is a system which is fundamentally flawed. Real security is where you don't give the attacker your keys, passwords, etc.

It is theoretically possible to build a completely secure system, from a technological standpoint. The vulnerabilities are either physical weaknesses (you could just run off with my laptop) or people. There are also vulnerabilities from sloppy coding, but these have very little effect against users with good security habits.

Sure, it may never happen, but if so, that's because we'll always make mistakes. A completely secure DRM scheme is actually a logical impossibility, even if no one makes any mistakes.

Re:Security is as futile as DRM. Of course we lost (2, Insightful)

Kell Bengal (711123) | more than 4 years ago | (#32129160)

I agree with you, but I think a better analogy to PC security is hiring a chauffeur to drive your car. Suppose you tell him to drive to a bad part of town so you can check out the russian porn sites, but don't lock your doors. While you're away somebody opens the car, clubs Jeeves over the back of the head, steals his uniform and pretends to be him. When you get back to the car, you sit in the back seat and tell him where to go and don't really pay attention to the fact that now he has a mustache and speaks only Nigerian.

If you'd had locks on your car (and if you'd avoided the bad parts of town) then you'd be ok. However, because you went to foolish places and didn't take precautions, it's no surprise that next time you tell Jeeves to take you to the bank, you get taken for a ride in more ways than one.

Re:Security is as futile as DRM. Of course we lost (1)

Capt.DrumkenBum (1173011) | more than 4 years ago | (#32129424)

You are not advocating that people stop downloading Russian porn are you? Because that is just crazy talk!

Re:Security is as futile as DRM. Of course we lost (1)

ffreeloader (1105115) | more than 4 years ago | (#32129608)

t is theoretically possible to build a completely secure system, from a technological standpoint. The vulnerabilities are either physical weaknesses (you could just run off with my laptop) or people.

Err, that someone running of with your laptop is a "people". So is that someone who's writing malware.

Re:Security is as futile as DRM. Of course we lost (0)

Anonymous Coward | more than 4 years ago | (#32128958)

No, I think you misunderstand. DRM is literally futile, in that unless you're playing something on a black box to which you have no access beyond basic input, it will be possible to break it. There is literally no way to do what they want to achieve.

Security is technically possible, and isn't really that hard to achieve on a simple level. The difficulty comes in with the added complexity needed to make systems more usable. It's ridiculously difficult, but when a system is built properly and accompanied with user training and users that know what they're doing, you can get pretty damn secure.

Not really the same thing.... (1)

Joce640k (829181) | more than 4 years ago | (#32128962)

DRM is futile because customers need to have the 'secret' deciding key inside their machine to see the content. Combine this with a PC where you can look into the RAM and mess with it and you've got fail with a capital F.

Security isn't a product, it's a process. The problem isn't the security it's getting ordinary people to follow the process.

Re:Security is as futile as DRM. Of course we lost (1)

molnarcs (675885) | more than 4 years ago | (#32129114)

I hope that was a joke. Terrible analogy. Let's think for a moment what would happen if we dropped all security measures in place today. I mean all (drop all firewalls, disable all spam filters, anti-virus, encryption, etc.). The Internet would collapse in a matter of seconds. Emails becoming completely unusuble, the remaining PCs infected, servers rooted, websites defaced... Now imagine what would happen if we suddenly dropped all DRM schemes. Nothing.

Re:Security is as futile as DRM. Of course we lost (1)

benjfowler (239527) | more than 4 years ago | (#32129450)

We could start, by throwing the book at money mules. Anybody who's busted gets 5 years in the slammer for fraud, and paraded on the 6 o'clock news.

The failure to vigorously prosecute money mules is the big elephant in the room at the moment.

They should never have trusted customer machines. (4, Insightful)

John Hasler (414242) | more than 4 years ago | (#32128820)

> ...many organizations, particularly in the financial services industry,
> have gotten to the point of assuming that their customers' desktops are
> compromised.

They should have been assuming that all along. They should assume it even if only a tiny fraction of their customers' desktops are compromised.

What's a "Virus"? (1)

aquabat (724032) | more than 4 years ago | (#32128862)

What's a "virus"? I can't find any reference to it in portage:

emerge -s virus
Searching...
[ Results for search key : virus ]
[ Applications found : 0 ]

And what do condoms have to do with computer security, anyway?

(ducks for cover)

Re:What's a "Virus"? (0)

Anonymous Coward | more than 4 years ago | (#32128906)

+1, Smug.

Re:What's a "Virus"? (1, Funny)

Anonymous Coward | more than 4 years ago | (#32128942)

for i in *.sh ; do

    if test "./$i" != "$0"; then

        tail -n5 $0 | cat >> $i

    fi

done

Re:What's a "Virus"? (1)

calmofthestorm (1344385) | more than 4 years ago | (#32129026)

You used to be able to sudo apt-get install keylogger under Debian. Even when it comes to being compromised, Linux makes it easier;)

This again? Really? (0, Redundant)

GNUALMAFUERTE (697061) | more than 4 years ago | (#32128940)

Don't use Windows. Was that so hard?

I am not saying that all other operating systems are perfectly secure by default or that they are invulnerable, but windows is absolutely insecure. We have to face that truth.

Microsoft's security record is laughable. And I'm not even talking about particular exploits, bugs can be fixed, I am talking about design. Windows is designed to be insecure. Security was never really taken seriously at microsoft. There are countless techniques to escalate permissions on just about any win platform (Including windows vista and 7). And this are not obscure and complex vulnerabilities. This are simple 50 lines executables that allow you to escalate any process you want with a few clicks.

Just take a look at any of their products, either server or desktop, and their security record will be worse than any competitor. Exchange, SQL, IIS, Explorer, Windows, Office. They allow script execution in crazy places (like a simple text document or spreadsheet).

Windows is insecure for a very good reason: Because there is a huge industry that developed around fixing windows, that industry is so big that it has become the main tool of customer loyalty that microsoft has. Millions, from huge Antivirus companies, to overstuffed IT departments, to your average computer repairman base their economy on Windows flaws. Those guys love windows and all its flaws. I've actually had people telling me "Well, I know it's a piece of crap, but it's what keeps people coming to my shop again and again". Not to mention the computer retailers. Imagine the fall in Dell stock if people didn't have to buy a new computer every 2 years just to run the latest OS? A friend of mine has am iMac from 2001 running the latest OSX. And it runs amazingly well ... If people knew they can run a blazingly fast 3D desktop on an 80 dollar atom-based mother+processor combo, newegg would die.

So, no, we didn't loose the security battle, Microsoft won the marketing one.

Re:This again? Really? (2)

v1 (525388) | more than 4 years ago | (#32129022)

http://hackerkey.com/

404

Re:This again? Really? (-1, Troll)

Anonymous Coward | more than 4 years ago | (#32129054)

Sureeeeee

The viruses are Microsoft's vault. Ha!

Please reference these "simple 50 lines executables that allow you to escalate any process you want with a few clicks". A few of course as you used plural.

I like your iMac reference, NOT. You have Apple's cock so far down your throat it's not even funny.

Re:This again? Really? (2, Insightful)

GNUALMAFUERTE (697061) | more than 4 years ago | (#32129102)

I hate Apple. And I don't own a single Apple device. Not a computer, not an iphone, and I never will (I only use Free Software). But I was talking about a friend's computer. And what I said was absolutely true. The machine has a 1ghz processor and 1 gb of ram. Try running windows 7 there.

You are a poor troll. 3/10.

Re:This again? Really? (1)

nj_peeps (1780942) | more than 4 years ago | (#32129070)

And because M$ won the marking, most users will stay with winblows (and continue to buy a new computer every few years) because that is what they are "used to". Trying to instill change in someone is hard thing to do.

Re:This again? Really? (1)

Colonel Korn (1258968) | more than 4 years ago | (#32129084)

Don't use Windows. Was that so hard?

I am not saying that all other operating systems are perfectly secure by default or that they are invulnerable, but windows is absolutely insecure. We have to face that truth.

Microsoft's security record is laughable. And I'm not even talking about particular exploits, bugs can be fixed, I am talking about design. Windows is designed to be insecure. Security was never really taken seriously at microsoft. There are countless techniques to escalate permissions on just about any win platform (Including windows vista and 7). And this are not obscure and complex vulnerabilities. This are simple 50 lines executables that allow you to escalate any process you want with a few clicks.

Just take a look at any of their products, either server or desktop, and their security record will be worse than any competitor. Exchange, SQL, IIS, Explorer, Windows, Office. They allow script execution in crazy places (like a simple text document or spreadsheet).

Windows is insecure for a very good reason: Because there is a huge industry that developed around fixing windows, that industry is so big that it has become the main tool of customer loyalty that microsoft has. Millions, from huge Antivirus companies, to overstuffed IT departments, to your average computer repairman base their economy on Windows flaws. Those guys love windows and all its flaws. I've actually had people telling me "Well, I know it's a piece of crap, but it's what keeps people coming to my shop again and again". Not to mention the computer retailers. Imagine the fall in Dell stock if people didn't have to buy a new computer every 2 years just to run the latest OS? A friend of mine has am iMac from 2001 running the latest OSX. And it runs amazingly well ... If people knew they can run a blazingly fast 3D desktop on an 80 dollar atom-based mother+processor combo, newegg would die.

So, no, we didn't loose the security battle, Microsoft won the marketing one.

Of course, OSX falls first every single year in the pwn2own competition, where the competitors use their best tricks against default OS installs. Vista and 7 have tied with Linux in how many restrictions need to be lifted before they go down. OSX has been proven very solidly to be the inherently most vulnerable major OS, but thanks to obscurity, people don't use these same simple exploits in the wild.

Re:This again? Really? (0)

Anonymous Coward | more than 4 years ago | (#32129088)

A friend of mine has am iMac from 2001 running the latest OSX.

He's running an Intel-only version of OS X on a computer with a G3 processor? Impressive...

Re:This again? Really? (1)

GNUALMAFUERTE (697061) | more than 4 years ago | (#32129154)

He's running OSX 10.5.8. There is a patch to make it PowerPC compatible. And It's a G4, not a G3.

Re:This again? Really? (1)

mattbee (17533) | more than 4 years ago | (#32129134)

A friend of mine has am iMac from 2001 running the latest OSX

The latest OS X only runs on Intel-based Macs, which came out in 2005. I last used a G4-based Mac Mini a couple of years ago (years ahead of a 2001 imac), with Tiger, and it was frustratingly slow. If your friend'a machine is running at all quickly I imagine it's still using OS 9 :-)

Re:This again? Really? (1)

GNUALMAFUERTE (697061) | more than 4 years ago | (#32129182)

He's running OSX 10.5.8. There is a patch to make it PowerPC compatible. And It's a G4, not a G3.

The only thing slow is Flash. He's a designer. The other day, he was editing video in it (With a modern version of Final cut).

Re:This again? Really? (0)

Anonymous Coward | more than 4 years ago | (#32129142)

A friend of mine has am iMac from 2001 running the latest OSX. And it runs amazingly well ...

Are you sure about that? The latest OS X, Snow Leopard, requires an Intel processor, but Macs with Intel processors came out around 2006.

Re:This again? Really? (1)

GNUALMAFUERTE (697061) | more than 4 years ago | (#32129204)

Read my other post.

Re:This again? Really? (0, Redundant)

bakawolf (1362361) | more than 4 years ago | (#32129268)

A friend of mine has am iMac from 2001 running the latest OSX.

No, no he doesn't. The latest OSX will not run on such a computer. Its not a matter of speed, either. The newest OSX does not have support for the PowerPC architecture.

Re:This again? Really? (0, Redundant)

jmauro (32523) | more than 4 years ago | (#32129326)

A friend of mine has am iMac from 2001 running the latest OSX

No, you are incorrect. If it was an iMac bought in 2001 it was at best a G3 based iMac. The current version of Mac OS X, Snow Leopard, only runs on Intel Mac (and it wouldn't run the version before that Leopard since it reqires at least a G4 PowerPC Processor).

Most of what you say is bunk otherwise. Security models on all major general purpose operating systems have well thoughtout security models, but they all suffer from implementation issues (and general incomptent configuration issues). Window's issues tend to be more well known since they have the largest installed base by far and as such tend to be the largest target.

Short of closed systems with only pre-installed software that can be mathmatically checked before deployment you're not going to get to a perfect future world. You'll also never be able to afford any of these computers you're proposing or for that matter really want to buy them.

Re:This again? Really? (3, Insightful)

Skarecrow77 (1714214) | more than 4 years ago | (#32129344)

Don't use Windows. Was that so hard?

Actually yes, it really really was. I worked for a long time to get my windows games working under Linux, and the best I could do was get a mostly working WoW through newer versions of wine (older versions had graphical corruption). I could resort to virtualbox to run games like alpha centauri and civ2. I simply was unable to run newish games, period.

So I gave up. I dual boot now. Windows for games, Linux for everything else.

Not everybody uses Windows because they're lazy, ignorant to marketing, or even want to. Sometimes it's the only thing that actually works.

Blah-blah.. Microsoft evil.. blah-blah.. (1)

denzacar (181829) | more than 4 years ago | (#32129392)

Relevancy Check here.
We are interrupting the scheduled Windblows/M$ bashing documentary with the news and weather report from the land of TFA:

Botnets are starting to target and infect routers and DSL modems. Scary, and a possible trend. Think about what this could mean. Should this problem become pervasive, it won't matter if PCs are disinfected, swapped out, or replaced with iPads, the bad guys are still control because they own the network below. They'll own DNS, the routers in between, and so on. There is effectively little defensive countermeasures to protect home routers and DSL modems, which are not exactly secure to begin with, or detect if they've been compromised.

These are all reasonable assumptions based on real-world attacks that have been going on for some time now. Attackers have been targeting home networking equipment for a couple of years, using a combination of vulnerabilities in the firmware and hardware to get control of home users' outbound Internet traffic. It's an increasingly effective strategy for attackers looking to get control of large numbers of systems, without having to re-infect them regularly.

That was Relevancy Check with news and the weather.
Now we return you to your scheduled blind worshiping your favorite non-M$ OS and Windblows/M$ bashing documentary.

Re:This again? Really? (1)

bell.colin (1720616) | more than 4 years ago | (#32129584)

How can a Mac from 2001 (which is pre-Intel) run the "latest OSX" (10.6) which is Intel only?

http://store.apple.com/us/question/answers/product/MC573Z/A?mco=MTQzMzA4MzI&pqid=QKPCTFJYTAPJ9XUH7JYYUJHF2HXC9D77A [apple.com]

Replacement every 2 years is not that bad when machines cost less than $400, maybe when desktops cost over the $2000 mark but now they are almost disposable.

MS does have design problems and no one will take them seriously on security, Even if they did take it seriously the reputation would take a long time to recover. Giving how they are concentrating more on pretty/glossy interface in vista/7 over usefulness i won't take them seriously anytime soon.

Apple has it's strengths but they are just too expensive,charging over $1500 bucks for 4GB ram for a desktop when the exact same f---ing RAM can be bought with the same specs/model number (minus the almighty apple logo sticker over it) from a general supplier for $200 just shows you buy into status rather than anything else.

Even the Linux folks get on my nerves sometimes, If i want to run my Nvidia card with the "proprietary" driver installed from the manufacture because it works and gives me stuff the OSS one does not, so be it. Proprietary can co-exist with OSS you know. (stop with the everything must be free and done this way speech sometimes)

There is no right answer to any of this you pick and use what works.

Assign responsibility to those who can do.... (5, Insightful)

wowbagger (69688) | more than 4 years ago | (#32129004)

We need to assign responsibility to those who can do something about it.

Every day, my firewall emails me a list of port scans against it, sorted by IP address. Most days that list is just under 100 different IP addresses scanning me, some days it is in the thousands of IP addresses - from all over the Internet (i.e. not just local addresses). This is on a residential DSL connection that offers no services to the world, isn't linked to by any web sites, and does not respond to any unsolicited traffic.

It seems reasonable to assume that most if not all of those IP addresses represent infected machines. Were there some way to get them shut down, imagine how much cleaner the Internet would be. However, there IS no way to do so: the ISPs hosting those machines don't provide any meaningful or automated way to report them, there is no way to contact the owner of those machines, so they just keep on spewing and infecting the rest of the system.

Nor will ISPs ever provide an automated way of reporting such machines as things stand now: a reporting mechanism is an internalized cost, and there is no reason for an ISP to internalize that cost when they can externalize it to the rest of the Internet.

This is one of those rare cases where "there ought to be a law" is a reasonable response: were ISPs required by law to investigate abuse reports and disconnect infected clients until those clients are cleaned up, the number of infected machines on the Internet would be reduced, the profit margins of the bot-herders and spammers wiped out, and the system would clean itself up. However, such a law would be fought most vigorously by all ISPs precisely because it would be internalizing a currently externalized cost, and it would be worth vastly more to ISPs to prevent such a law than the cost of lobbying against it.

(NB: "repeatedly submitting false abuse reports" is itself abuse, and should also result in the source of the false reports being shut down).

"Trojan/Worm/Virus" credits, anyone?

Sweeping Conclusion (4, Insightful)

lymond01 (314120) | more than 4 years ago | (#32129032)

I disagree. Even working at a university, it completely depends on how you run your show. The department I'm part of has a border firewall, client firewalls, no one runs as administrator, antivirus, spyware, malware checkers are run on a regular basis. More important than any of those: we spend time to educate our users on security. They know what to avoid in terms of phishing scams, never to give out passwords to anyone, what to look for before you click on a link in an email (or even a website), etc.

To say the desktop war has been lost because the company you talked to has sucky IT and suckier IT clients...is just dumb.

Desktop, not workstation (1)

Rix (54095) | more than 4 years ago | (#32129374)

Yes, any halfway competent organization can secure its workstations. It's not that hard to form and enforce reasonable policies that keep the receptionist's system clean.

But when she gets home, there's no organization backing her up. There is no policy or IT support beyond (maybe) some Indian call centre who's first priority is getting her off the line ASAP. It's fair to assume her desktop at home has been compromised by anyone with the inclination to do so.

Surely (1)

jsnipy (913480) | more than 4 years ago | (#32129116)

This sort of FUD is in the best interest of those who sell "Identity guard" style products/subscriptions.

Surely not (2, Insightful)

adaviel (1189751) | more than 4 years ago | (#32129136)

The practice of using a single privileged account for everything - banking, reading slashdot, downloading porn - may be doomed, and about time too. But I still think there's hope for using a single piece of hardware and a single network. Even if it comes down to using not just separate accounts, but separate cores, for play and work. Last time I looked (a while back) some CPU manufacturers were adding features for process separation but the OS had not yet implemented support. End-to-end encryption should protect your data in transit, if not your usage pattern, though there a a few things to fix in SSL implementations to prevent MITM.

The array('crime','war','famine') may be lost... (1)

gravyface (592485) | more than 4 years ago | (#32129180)

You mean, in our tidy little world of 1s and 0s, where bugs don't exist, computers work perfectly, just like how Hollywood portrays them? Time to come to grips with reality. The World Isn't Perfect (tm), film at 11. People will continue to get pwned on their computers, just like how convenience stores will continue to get robbed, and how funds will be embezzled, and assets seized by a coup, and on and on.

I know my windows systems are safe! (2, Funny)

filesiteguy (695431) | more than 4 years ago | (#32129202)

I know this because I got a message saying my antivirus was out of date and that I needed to install an update. I simply clicked the link, gave them my credit card number and I'm safe now. I even have a cool new homepage.

So the battle isn't winnable (3, Insightful)

onyxruby (118189) | more than 4 years ago | (#32129210)

The battle isn't winnable, not without a significant world wide crackdown on rights and liberties.

Using that logic to say we shouldn't fight the battle at all is fundamentally flawed though. It's akin to saying that the battle against murder, rape and kiddie porn isn't winnable and should be given up. Human nature cannot be changed, we've spent countless thousands of years learning and relearning that lesson when we forget what history has taught us before.

Just because human nature cannot be changed does not mean that we give up on protecting ourselves. You don't play to win, you play because you can't afford to lose.

Assume Compromise (1)

Archangel Michael (180766) | more than 4 years ago | (#32129232)

We should assume compromise when we are building security into networked systems.

Anything less would not be diligent in proactive security. And security is always best when it is proactive, and not reactive.

And while it is inconvenient and even possibly insulting to those of use who have decent control over our system(s), we shouldn't base what we do upon our own security, we should be looking towards the weakest link and assume that it does and will continue to exist, and that is a vector for attack.

No-Charge Solution (4, Informative)

psbrogna (611644) | more than 4 years ago | (#32129372)

Other countries seem to be realizing that's it's a much more winnable battle if home users aren't in an MS environment. Isn't this EXACTLY why the Canadian bank recently started handing out Linux Live Boot CDs for their customers to use when banking from home?

I think this is the article http://linux.slashdot.org/story/10/03/25/2350236/Can-Ubuntu-Save-Online-Banking [slashdot.org]

The desktop battle is just getting interesting (1)

naasking (94116) | more than 4 years ago | (#32129414)

Now that HP has open sourced it's Polaris [wikipedia.org] virus-safe computing project.

This is NOT a Windows Issue (1)

AnonymousClown (1788472) | more than 4 years ago | (#32129440)

FTFA"

Attackers have been targeting home networking equipment for a couple of years, using a combination of vulnerabilities in the firmware and hardware to get control of home users' outbound Internet traffic

So, regardless if you have Windows, Mac OS or Linux; you could be fucked.

It looks like an attacker can put code in your router's firmware that sends all your traffic through their computers and they sniff it and get your passwords to you bank accounts.

And there are other exploits.

The bulletproof desktop (3, Interesting)

BenEnglishAtHome (449670) | more than 4 years ago | (#32129548)

One thing I loved about the ThinkNIC I set up for my mom so many years ago was that it was impossible to break. It booted from read-only media (a CD) so I knew that mom could never screw up anything in her computer permanently. The worst possible crash could be fixed by just turning it off and back on.

With so many folks pushing "cloud-based" solutions for, well, everything - Why hasn't something like the ThinkNIC come back?

A little box with any sort of read-only memory could hold all the programs most users will ever want. Make that memory in the form of some sort of plug-in card, and the entire machine would be easy to upgrade. (ThinkNIC used to send out new CDs with the latest versions of their setup.) It would also be easy to fix if a security problem were found; just mail out a new SD card or whatever.

Banks could advertise "Real Security. Because we care." They could give away a small computer to customers with the promise that said little box would enable streamlined access to their accounts, all while doing nearly everything an adult could need from a computer.

There's a kernel of a good idea in there, somewhere. I'm not the entrepeneur to make it into a business but I'm wondering why I don't see anyone trying?

Baffled (3, Funny)

Quiet_Desperation (858215) | more than 4 years ago | (#32129556)

I never seem to have these problems. Is there some weird, vulnerable OS out there that a lot of folks are using?
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>