Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

SpyEye Botnet Nets Fraudster $3.2M In Six Months

Soulskill posted more than 2 years ago | from the get-rich-quick-with-malware dept.

Botnet 99

wiredmikey writes "The SpyEye Trojan has a well-earned place of respect in the cyber-underground as an adaptable and effective piece of malware. Those same traits have also made it a bane for countless victims and the security community, and new research provides yet another reminder of why. According to security researchers, a hacker in his early 20s known by the alias 'Soldier' led a bank fraud operation that netted $3.2 million in six months. Powered by the SpyEye crimeware kit and aided by money mules and an accomplice believed to reside in Hollywood, Soldier commanded a botnet of more than 25,000 computers between April 19 and June 29 that compromised bank accounts and made off with the profits. Most of the victims were in the U.S., but there were a handful of victims in 90 other countries as well. Among the affected organizations were banks, educational facilities and government agencies."

cancel ×

99 comments

Sorry! There are no comments related to the filter you selected.

the biggest problem here, personal responsibility (2, Insightful)

Anonymous Coward | more than 2 years ago | (#37429932)

Is that the victims were generally NOT the people who allowed botnets to run on their computers. Because if they had been, maybe that would have been just punishment for harming the common good by allowing malware.

This is 2011. Personal computing has existed for, depending on just how you measure, about 35 years. I've been using them that whole time, and have NEVER, not once, had any form of malware. It just isn't that hard, and people have had 35 *years* to learn to not run shit. It's time we start holding people responsible for the results. In this case, the owners of those 25,000 compromised machines should be responsible for the 3.2 million that was lost. It should be their responsibility to pay it back.

If people drive carelessly and crash into a crowd of people, we hold them responsible. If an engineer designing a bridge is careless and the bridge falls down as a result, we hold them responsible. It's high time we start holding people responsible here as well. If you can't act responsibly, then you don't get to be on the public internet with everyone else, just like if you can't drive responsibly we eventually take away your license. You are still free to drive on your own private land, just like you're still free to use your computer on your own private network, but you don't get to use it where the rest of us are trying to be responsible citizens of the online community.

35 *years*. Time to fucking stop running malware. Yes, the botnet operators also are responsible, but that doesn't mean the owners of the compromised systems are NOT. They are as well.

Re:the biggest problem here, personal responsibili (2)

planimal (2454610) | more than 2 years ago | (#37429958)

people aren't that smart. you think about all the wonders and achievements of human kind, but a trip to the DMV will bring you back down to earth

Re:the biggest problem here, personal responsibili (1)

CheshireDragon (1183095) | more than 2 years ago | (#37430056)

OK, so when are we going to hold Microsoft and other software makers for making insecure software? Nice DMV comment...so true. "Waddaya mean I need insurance to register my vehicle?!" Yes, I heard that once before...

Re:the biggest problem here, personal responsibili (1)

ge7 (2194648) | more than 2 years ago | (#37430188)

You want to hold all the Linux contributors responsible too? Especially when the malware usually comes via user stupidity, not insecure software.

Re:the biggest problem here, personal responsibili (1)

CheshireDragon (1183095) | more than 2 years ago | (#37430976)

So you don't remember all the email virus that spread years ago simply by opening them because they were exploiting flaws in system software? Or how about the malware spreading by exploiting other system flaws? Yes, some is user stupidity by installing some random program or clicking through popups and going to (compromised sites that exploit system flaws) but not ALL of it is caused by the end user.

Re:the biggest problem here, personal responsibili (1)

ge7 (2194648) | more than 2 years ago | (#37432428)

So you don't remember all the email virus that spread years ago simply by opening them because they were exploiting flaws in system software?

Yep, it was years ago. On that note UNIX and Linux used to have lots of worms that spread remotely too, and there's still lots of bugs and sometimes even remote exploits. Firefox and Chrome patch hundreds of bugs per year.

If software vendors were being held responsible for every bug that might have slipped through, what you think would happen? Open source contributors would stop contributing software, because they would risk losing their personal money in the process. On the other hand, Microsoft has the money. You would only kill open source development.

Re:the biggest problem here, personal responsibili (1)

CheshireDragon (1183095) | more than 2 years ago | (#37434984)

I agree. We are on the same side :)
I should have made it more clear in my first post that I was being sarcastic to the OP. The AC claiming that we should go after the people who are installing malware and to go after them. Like you stating that not every little bug can be perceived, nor can every computer user realize what they are installing is NOT malware, which the AC claims they should know what they are installing. Then I was sarcastically stating then why not go one step further and go after the people who make the software... Not saying it is a good idea and yes, it would really only hurt the Open-Source market, which, IMO is the only market that is truly making a difference.

Re:the biggest problem here, personal responsibili (1)

Stan92057 (737634) | more than 2 years ago | (#37435636)

Don't forget all the bug hunters/security people who released the vulnerabilities before it was fixed. They are more responsible then the criminals themselves in my book.

Re:the biggest problem here, personal responsibili (1)

Anonymous Coward | more than 2 years ago | (#37430088)

A better analogy would be someone using their car in a reasonable manner but crashing into the crowd because someone cut their brake lines.

What? You don't manually check your brake lines every time you drive? You don't even know where to look? But that's YOUR RESPONSIBILITY!

Do you count your knives each night to know no one has stolen them to stab someone?

Personal responsibility means taking reasonable steps to make sure you don't harm others. It doesn't mean becoming an expert in every single aspect of technology to make sure it is impossible for anyone to use your equipment to harm others. It's completely unreasonable to expect your average person to know enough about their computer to know whether it is being used for crime.

Re:the biggest problem here, personal responsibili (2, Interesting)

Anonymous Coward | more than 2 years ago | (#37430132)

"Personal responsibility means taking reasonable steps to make sure you don't harm others"

Yes, and people DON'T DO THAT. I've seen people get spyware, right in front of my eyes. They absolutely do not take reasonable steps to avoid so doing. They'll cheerfully run ANYTHING. That is not a reasonable behavior, on what is fundamentally a Turing machine.

So yes, let's hold them responsible when they don't take reasonable steps towards safe computing.

Re:the biggest problem here, personal responsibili (0)

Anonymous Coward | more than 2 years ago | (#37430200)

Oh get off your goddamn high horse. Just because you deem yourself an expert you think every one and their mom should know "common sense" things. Guess what? None of this shit was common sense 10 years ago. It's continually changing, and most people don't give a flying fuck about any of it as long as they can do what they need to do.

That's how the world works. You're a freak of nature. Accept that.

Re:the biggest problem here, personal responsibili (1)

ge7 (2194648) | more than 2 years ago | (#37430206)

What are they being responsible for? Just running piece of software isn't illegal. Even FBI or whoever it was that cleaned one of the botnets gave computer owners the possibility to opt-out of it, in case they wanted to keep it on their computer.

Re:the biggest problem here, personal responsibili (3, Interesting)

mpe (36238) | more than 2 years ago | (#37430252)

A better analogy would be someone using their car in a reasonable manner but crashing into the crowd because someone cut their brake lines.

But the brakes in a car generally don't fail because someone put the wrong CD in or tuned to the wrong radio station.

Re:the biggest problem here, personal responsibili (0)

Anonymous Coward | more than 2 years ago | (#37430822)

Give it time, give it time. The software retards will find a way to mess that up too.

Re:the biggest problem here, personal responsibili (2)

Stiletto (12066) | more than 2 years ago | (#37430618)

"A better analogy would be someone using their car in a reasonable manner but crashing into the crowd because someone cut their brake lines."

But running malware and trojans is not "using a computer in a reasonable manner".

A better analogy would be someone deciding to drive over metal spikes and then crashing into the crowd because their tires are shredded. Duh...

Re:the biggest problem here, personal responsibili (1)

tehcyder (746570) | more than 2 years ago | (#37438840)

A better analogy would be someone deciding to drive over metal spikes and then crashing into the crowd because their tires are shredded. Duh...

The phrase "a better analogy" in English does not mean "a compltely fucking retarded compairon".

Re:the biggest problem here, personal responsibili (1)

PopeScott (1343031) | more than 2 years ago | (#37431240)

A better analogy is leaving your car running while you dash into the store. Which IS against the law in many places. Someone might hijack it and commit a crime. Now, I haven't looked, I don't think you'd be liable for that crime, but if they hit someone else with that car, your insurance is at the least going to drop your ass like the irresponsible assbag that you are.

Re:the biggest problem here, personal responsibili (0)

Anonymous Coward | more than 2 years ago | (#37430092)

> In this case, the owners of those 25,000 compromised machines should be responsible for the 3.2 million

In fact, that's only 128 dollars per person, so is quite reasonable. It'll teach people that there ARE real world ramifications to their carelessness, but it isn't so much money that it would be a hardship for most people.

Re:the biggest problem here, personal responsibili (5, Insightful)

Beryllium Sphere(tm) (193358) | more than 2 years ago | (#37430096)

In a world where picture frames come preinstalled with malware, in a world where simply visiting the wrong website can infect you if Flash has an unpatched vulnerability, that's too simplistic.

I blame people for running Trojans, I blame people for not doing updates (but come on, what other industry would tolerate having a recall on the second Tuesday of every month), but this is still a world in which drive-by downloads are possible. I run Noscript, of course, but don't expect anyone else to live with the problems it causes.

Re:the biggest problem here, personal responsibili (1)

MightyMartian (840721) | more than 2 years ago | (#37430178)

It's quite true. I can't blame users for shitty fucking plugins like Flash. They want to view online content, so are essentially forced to become part of an insecure ecosystem.

Re:the biggest problem here, personal responsibili (1)

Anonymous Coward | more than 2 years ago | (#37430396)

I can blame the webmasters that insist on using flash and mandatory javascript (etc) even when it is unnecessary, ad peddlers that don't give two sh*ts about what goes throughout their network if the price is right, sites using a CMS for static content, that bet abandoned at some point, with the CMS getting taken over and serving exploit kit iframes for the next decade... etc... The issue at hand is that the current situation is caused by all involved parties not taking any responsibility whatsoever, it's neither the user, nor the companies, nor the websites, it's all of them.

Re:the biggest problem here, personal responsibili (2)

Jah-Wren Ryel (80510) | more than 2 years ago | (#37430558)

I can blame the webmasters that insist on using flash and mandatory javascript (etc) even when it is unnecessary, ad peddlers that don't give two sh*ts about what goes throughout their network if the price is right, sites using a CMS for static content, that bet abandoned at some point, with the CMS getting taken over and serving exploit kit iframes for the next decade... etc... The issue at hand is that the current situation is caused by all involved parties not taking any responsibility whatsoever, it's neither the user, nor the companies, nor the websites, it's all of them.

+1 truth

I'm sick and tired of people who defend the unnecessary use of things like javascript by putting all of the blame for the accompanying reduction in security on the user.

The car analogy is that it is like demanding that people not wear seat-belts and when they get hurt in a wreck then blaming them for not having the latest air-bag system.

Re:the biggest problem here, personal responsibili (1)

AliasMarlowe (1042386) | more than 2 years ago | (#37430276)

...in a world where simply visiting the wrong website can infect you if Flash has an unpatched vulnerability, that's too simplistic.

Are you saying that Flash should be limited to Linux, BSD, OpenSolaris, and other operating systems with minimal protections? Better tell Adobe, because they always release new versions of Flash first for Windows. Does that imply Adobe is also complicit with the botmasters?

Re:the biggest problem here, personal responsibili (0)

Anonymous Coward | more than 2 years ago | (#37445014)

It would be better if Flash didn't automatically run every time your web browser encountered it. There is Flashblock, but most users don't know about it (and probably don't realise the security benefit of it).

Opera has options 4 FLASH (0)

Anonymous Coward | more than 2 years ago | (#37474304)

Only browser I know that has that NATIVELY "built-in" (not done via 3rd party addons), AND, it does the same FOR ALL OTHER PLUGINS (+ javascript/cookies etc. also) via:

This CAN be implemented/turned-on in:

---

1.) Opera's GLOBAL preferences -> Tools menu, Preferences submenu, Advanced, Content, Enable Plugins/Enable Plugins only on demand

OR

2.) Opera's right-click on a website page "By Site Preferences" - imo this latter method's IS the easier & better/faster way!

---

(The latter IS the "superior method" (especially if you 1st GLOBALLY DISABLE all javascript/plugins/cookies (i.e. - things that can cause hassles security-wise), etc.-et al, first - then, enable things like plugins/javascript/cookies BY SITE as you need them ONLY!!!)).

APK

P.S.=> Opera's the ONLY browser that I know that has a "By Site" preferences option, which is GREAT FOR SECURITY and SPEED @ the same time really (by not loading things you do NOT need to be running "constantly" &/or for NO GOOD REASON, especially if you do NOT need to be using things))

AND?

Opera also has the TLS1.2 SSL encryption option, which is "proof" to the NEW "BEAST" javascript attack that's "taking out" MILLIONS of SSL sites -> http://www.theregister.co.uk/2011/09/19/beast_exploits_paypal_ssl/page2.html [theregister.co.uk] ... apk

In a world you can stop this (MY world) (0)

Anonymous Coward | more than 2 years ago | (#37432016)

U use this -> https://spyeyetracker.abuse.ch/monitor.php [abuse.ch] to add data 2 UR custom HOSTS file & firewalls (both software & hardware based ones, for redundant protection) to stop it from being able to work in the FIRST PLACE (by stalling communications with its C&C servers & more)...

That site's called SPYEYE TRACKER, & for GOOD REASON - it is a known reputable + reliable source for protective data vs. this threat.

APK

P.S.=> Enjoy... & you'd be surprised how many sources there are to protect yourselves from threats like this... I've repeatedly listed over 17++ or thereabouts here, many times (that's one of the better ones, vs. one of the worst threats (right up there with ZEUS imo))...

... apk

Patch Tuesday seems counterproductive (1)

Artifex (18308) | more than 2 years ago | (#37433694)

what other industry would tolerate having a recall on the second Tuesday of every month

Personally, I think we'd be safer if Microsoft didn't create Patch Tuesdays, and actually released patches as soon as they have fixes, instead. It seems that Patch Tuesday in practice just exists to reduce how often Microsoft is seen to release patches. There's a claim that we need a certain date in the month for all sysadmins to know to look for updates, but that's silly. Sysadmins should always be checking for vulnerabilities, and if they really can't be bothered to do it more than once a month they can set their own calendar -- but make the fixes available immediately to the rest of us.

Re:the biggest problem here, personal responsibili (2)

tqk (413719) | more than 2 years ago | (#37430174)

Yes, the botnet operators also are responsible, but that doesn't mean the owners of the compromised systems are NOT. They are as well.

Sorry, but no. You may have 35 years under your belt, but my 80+ year old Mom doesn't, and the vast majority of mere users out there are a lot like her. When even highly educated users like doctors and lawyers are stupid around computers, how can you expect my Mom to do any better?

Case in point: she's on a Mac using Safari, and it drives her up the wall when the history pane doesn't show her favourite sites. I've told her that's not how it's supposed to be used and to use bookmarks instead. She wants to use the history window instead and can't understand why she shouldn't.

A friend of mine was using Windows and got it infected. I built him a Linux box and showed him how to use it. Problem solved? No, because he kept going back to using his infected Windows box, wondering why his ISP cut him off every time he used it (because his ISP determined his machine was infected).

I've seen just as stupid !@#$ from doctors and lawyers.

What you want is for your politicians to write a law that forces all computer users to get a driver's license before being allowed on the net, and that isn't going to happen since the vast majority of politicians are lawyers who're just as stupid around computers as is my Mom. For most users out there, computing is still magic to them and I doubt that's going to change anytime soon. They see no need and are quite capable of blaming something/anything else for their ignorance.

Besides, it'd be a lot simpler to force ISPs to police their users. They have the expertise and at least some are doing it already. What's wrong with the rest of them?

Re:the biggest problem here, personal responsibili (0)

Anonymous Coward | more than 2 years ago | (#37430586)

Funny, my father is 77, and has somehow managed to never get any malware since he started using computers in the 1990s (and not with any help from me - he does everything himself). Of course, he is willing to THINK, something that 99% of the population seems unwilling to do. Not incapable - they are perfectly able to if they want to. They just don't want to, and will make excuses after excuse for the others who don't want to either. So here we are, a culture of mass ignorance, a malware and spam filled world.

Re:the biggest problem here, personal responsibili (1, Insightful)

Stiletto (12066) | more than 2 years ago | (#37430638)

If your mom or your friend cannot operate a computer without getting it infected with malware and trojans, they are not qualified to be operating a computer and should not be doing it. Furthermore, if they choose to do it despite their incompetence, they should be held liable for whatever damages their use does to others.

Re:the biggest problem here, personal responsibili (1)

tehcyder (746570) | more than 2 years ago | (#37438898)

If your mom or your friend cannot operate a computer without getting it infected with malware and trojans, they are not qualified to be operating a computer and should not be doing it. Furthermore, if they choose to do it despite their incompetence, they should be held liable for whatever damages their use does to others.

Yes, because only people with Computer Science PhDs should be allowed to use computers, and ideally all computers would be giant mainframesi n universities or large corporations. All this giving computer and internet access to the masses is just plain wrong..

Re:the biggest problem here, personal responsibili (0)

Anonymous Coward | more than 2 years ago | (#37430194)

Neither malware nor viruses have existed for 35 years. Stop the revisionist history. And even if they had existed you're still using a really shitty metric. That would be like screaming at a new 16 year old driver after an accident because cars have been around, more or less for 135 years.

Re:the biggest problem here, personal responsibili (1)

ma1wrbu5tr (1066262) | more than 2 years ago | (#37430210)

I agree, to a point. But it is less simple than you've made it. As an AV industry employee, I get to see firsthand how infections spread. It's actually pretty amazing how much of it is spread by software or operating system vulnerabilities and software companies are slow to address even known vulnerabilities. That being said, it is also true that most people on the information superhighway are simply driving at 700 kmh while texting, eating a donut, and watching a porn video. Click OK or Next now and think about it later.

Re:the biggest problem here, personal responsibili (1)

tehcyder (746570) | more than 2 years ago | (#37438912)

mod parent +1 funny for use of the term "informaion superhighway".

Re:the biggest problem here, personal responsibili (1)

jon3k (691256) | more than 2 years ago | (#37430388)

If your solution is for people to be smarter then you might as well throw in the towel now.

Re:the biggest problem here, personal responsibili (0)

Anonymous Coward | more than 2 years ago | (#37430426)

Get off your high horse. A good friend of mine just a week ago had a search warrant served on him at 6AM and had basically everything with a power cord seized. He's been accused of running some bank scam, but there's absolutely no way this guy could have been involved. In all likelihood, either his computer was hacked, or someone was using his wireless. Either way, his life has been turned upside down.

Those of us who know about this stuff should be working to make technology secured by default, not blaming innocent average Joes for failing to take every security precaution possible.

Re:the biggest problem here, personal responsibili (1)

couchslug (175151) | more than 2 years ago | (#37430790)

"Is that the victims were generally NOT the people who allowed botnets to run on their computers."

Of course. There is no evolutionary pressure in the ecosystem to detoxify exploited computers. Bubba and Laqueefa don't give a fuck about internet security and WHY SHOULD THEY when there are negligible negative consequences?

I don't advocate any nonsense like government regulation to (not!) solve the problem.

It would be better done with destructive malware that disconnects infected PCs from the internet and does enough system damage to coerce a reinstall. No need to make personal files unreadable or data unrecoverable, just trash the OS.

There is NO ethical way to solve this problem, and there is no way to solve this problem without causing collateral damage.

Joe Dumbshit gets his porn appliance disconnected enough and gets tired of paying for reloads, and he will in some cases take action. Even if he replaces his PC with something more modern and, it is to be hoped, more secure, that's progress.

Re:the biggest problem here, personal responsibili (1)

tehcyder (746570) | more than 2 years ago | (#37438926)

and there is no way to solve this problem without causing collateral damage.

Fuck me, it's Mr Internet Tough Guy on the rampage with military jargon off a cornflakes packet.

Re:the biggest problem here, personal responsibili (1)

the_scourge (869323) | more than 2 years ago | (#37431958)

Is that the victims were generally NOT the people who allowed botnets to run on their computers. Because if they had been, maybe that would have been just punishment for harming the common good by allowing malware.

This is 2011. Personal computing has existed for, depending on just how you measure, about 35 years. I've been using them that whole time, and have NEVER, not once, had any form of malware. It just isn't that hard, and people have had 35 *years* to learn to not run shit. It's time we start holding people responsible for the results. In this case, the owners of those 25,000 compromised machines should be responsible for the 3.2 million that was lost. It should be their responsibility to pay it back.

If people drive carelessly and crash into a crowd of people, we hold them responsible. If an engineer designing a bridge is careless and the bridge falls down as a result, we hold them responsible. It's high time we start holding people responsible here as well. If you can't act responsibly, then you don't get to be on the public internet with everyone else, just like if you can't drive responsibly we eventually take away your license. You are still free to drive on your own private land, just like you're still free to use your computer on your own private network, but you don't get to use it where the rest of us are trying to be responsible citizens of the online community.

35 *years*. Time to fucking stop running malware. Yes, the botnet operators also are responsible, but that doesn't mean the owners of the compromised systems are NOT. They are as well.

BS. The bad guys are a lot smarter than you think they are. Exploit kits, iframes, obfuscated javascript, etc... they're EVERYWHERE now. Quit blaming the victim already.

Re:the biggest problem here, personal responsibili (0)

Anonymous Coward | more than 2 years ago | (#37432694)

You're so awesome. I bet all your friends and family ask you when they have a computer problem. And I bet you scold them mercilessly for their stupidity, but it's all right - they let you away with it because you're so much fun the rest of the time. You can't help it if you're a fucking genius at computers.

Re:the biggest problem here, personal responsibili (1)

durrr (1316311) | more than 2 years ago | (#37432970)

Given that those 3.2 million that was lost most likely originated from some of the 25k compromised machines i'd say that those responsible got what they had coming for them. If a single mother living under minimum wage had her machine compromised, yet no assets stolen via or from her then why slap her with a $120 fine so that the few rich guys that are main targets don't have any incentive to fix their security holes.

Re:the biggest problem here, personal responsibili (1)

drwj01 (1695256) | more than 2 years ago | (#37433612)

People are only be held accountable for things that they or any reasonable person would beheld accountable. Corporate users are taught not to use their 'work' computer for personal use or not to go to unauthorized sites. This is mostly to keep the corporate internet connection from being the source of malicious applications. Some organizations go so far to teach or introduce users to information assurance as part of their right to access the internet. ISPs will continue allowing Darwin Award candidates access to the internet as long as they continue to pay for service. God help the USA when free internet gets here for every home. By free I mean, purchase by US tax dollars. ISPs should do their part in education the account holder on internet usage, or ISPs should be held responsible for the attacks that happen on or from their networks. I am not asking that they censor access, just education the user. That annual 'this-is-how-to-safely-use-the-internet' course would remove responsibility from the ISP on any incident.

Re:the biggest problem here, personal responsibili (1)

hesaigo999ca (786966) | more than 2 years ago | (#37434642)

I agree with you, same as a car, you would not just start driving one because you can afford to buy one, you have to take courses and also pass tests.
Computers in society seem to common place and without accountability. A pilot has to be registered to fly a plane and go through screening....why can not the ISPs enforce such things as well.

This is where the problem lies, it is more so the ISPs responsibility also to know when an infected computer is within ITS network, and block it off indefinitely until the problem is resolved. If a judge can turn around and ban you from driving because of a DIU (act of stupidity) and decide not to let you access the roads until such time as he feels you have learned your lesson....so to should the ISP providers enforce actions that would keep you off the internet until such time as you can prove to them you are bug free....and this would be tested once you contacted them with information about being now secured, they would keep you under watch and block you again if you showed signs again of reinfection.

Some might argue that you pay for a service and should not be stopped from enjoying it (internet), but I do not agree....you pay for your insurance, car, license, and plates, yet a judge can under acts of stupidity (driving drunk) remove your privilege, yet you still own everything else and need to pay for it regardless....

Until we actually treat infected pcs as badly as we might someone having aids, we wont get anywhere...imagine if tomorrow everyone understood that an infected pc is like having aids yourself...no one would ever want to interact with you simply for fear of infection.....so treat it as bad as this to make the point get home.

Re:the biggest problem here, personal responsibili (1)

Stan92057 (737634) | more than 2 years ago | (#37435626)

What about the stinking security people who release vulnerabilities knowing they haven't been fixed yet? Because boohoo they didn't get fixed as fast as they though they should have. I blame them more then i blame the criminals. There is enough blame to go to users but those who do know better are far more responsible for taking advantage of people. Stop blaming users that's a copout

Re:the biggest problem here, personal responsibili (1)

tehcyder (746570) | more than 2 years ago | (#37438812)

Yeah, and isimilarly, people have been dealing with money for thousands of years, but they still let themselves get mugged or burgled. With all that time to have become experts, they have only themselves to blame.

Your Bank Account is Locked (1)

Divebus (860563) | more than 2 years ago | (#37429954)

Click here to unlock your account [notification.zip].

  I know it's a crime and all, but should we feel sorry for people who get scammed because they're just that gullible? I know plenty of people who are.

And... when are we going to "fix" the email system to prevent this? It's the same system that was designed when there were 1,000 computers on ARPANET.

Re:Your Bank Account is Locked (1)

Rizimar (1986164) | more than 2 years ago | (#37430030)

I agree that there should be an update to the protocol. But you shouldn't blame the victims if they aren't computer-savvy in the least. Some people just don't "get" computers. You and I could probably spot spam and malware at a glance, but if you watch people surf or do things who aren't so knowledgeable about what goes on online, you may be surprised at what they're willing to open. The truth is, inexperienced users open up bad files and links often because they're being deceived by someone who knows who his targets are.

Re:Your Bank Account is Locked (0)

Anonymous Coward | more than 2 years ago | (#37430144)

> And... when are we going to "fix" the email system to prevent this?

How? What's wrong with it that needs fixing? The email system accurately delivered the attachment to the listed recipient. It cannot help if someone runs malware afterwards. That's like saying that people use cars for getaway vehicle from robbing banks, and when are we going to "fix" cars?

Even if you remove the ability to attach files to emails, there's always uudecode. You cannot stop the person between the chair and keyboard from doing something stupid, if they are intent upon doing so.

The only way to solve this is by people learning how to use their computers, and social pressure that pushes people in that direction.

Re:Your Bank Account is Locked (1)

Divebus (860563) | more than 2 years ago | (#37430254)

You're thinking inside the box. By "fixing" I mean removing the ability to send a message from one machine to another without authenticating the source. There's absolutely no security in SMTP and POP. That's what allows spam to be sent with your return address, or a nonexistent return address. Email was developed in the days where the Internet was the domain of the scientific, educational and government communities, without regard to security, and we're still using the same system.

It might be as simple as a monitor on everyone's computer saying "your machine just sent 1.2 million email messages". Maybe even an ISP level kill switch for each subscriber.

Re:Your Bank Account is Locked (0)

Anonymous Coward | more than 2 years ago | (#37430524)

> By "fixing" I mean removing the ability to send a message from one machine to another without authenticating the source.

It already allows for this - read RFC2015 and 3156. In fact I use that all the time, and it works great. A nice little icon comes up in the email window for authenticated sources.

> It might be as simple as a monitor on everyone's computer saying "your machine just sent 1.2 million email messages". Maybe even an ISP level kill switch for each subscriber.

Good ideas.

Re:Your Bank Account is Locked (0)

Anonymous Coward | more than 2 years ago | (#37430998)

Most spam seems to be send from hijacked machines. Authentication will fix nothing, read some spam and "sender" and "payload" rarely are related.

Re:Your Bank Account is Locked (1)

Divebus (860563) | more than 2 years ago | (#37431344)

Authentication: Hijacked machines - or even normal machines - shouldn't have authority to send email from some random claimed domain or plain IP address. There have been some good attempts to solve these issues (SPF records, Sender ID, DomainKeys/DKIM, FCrDNS (forward-confirmed reverse DNS)), but there aren't enough universal safeguards to make them work. Since this is a huge hole for criminals to exploit, we as an IT management community need to tighten that up. That includes testing each message for compliance and blacklisting all non-compliant sources.

I know... here we go with RBL's again, but we have to clean this shit up.

Re:Your Bank Account is Locked (1)

tehcyder (746570) | more than 2 years ago | (#37439024)

You're thinking inside the box. By "fixing" I mean removing the ability to send a message from one machine to another without authenticating the source. There's absolutely no security in SMTP and POP. That's what allows spam to be sent with your return address, or a nonexistent return address. Email was developed in the days where the Internet was the domain of the scientific, educational and government communities, without regard to security, and we're still using the same system.

Personally, I blame the antiquated UNIX.software responsible for most of the internet's infrastructure. The sooner everyone's running iOS on both server and client machines, the safer we'll all be.

Re:Your Bank Account is Locked (1)

MightyMartian (840721) | more than 2 years ago | (#37430208)

The problem always is that you have a goal of a mail system where anyone can theoretically send email to anyone, and there are huge advantages to such a system (which is why it has become of the prevalent modes of long-distance communications on the planet). A new protocol is going to have to deal with the same problem and ultimately the solutions will simply be variants on the current solutions, and what's more will have an enormous hill to climb to replace SMTP.

Re:Your Bank Account is Locked (1)

Chris Mattern (191822) | more than 2 years ago | (#37430212)

when are we going to "fix" the email system to prevent this? It's the same system that was designed when there were 1,000 computers on ARPANET.

No, it's not, and that's a big part of the problem. You used to only be able to send *text* though email. I can still remember when the idea of "e-mail viruses" was ludricrous--what, were you going to send them source code they'd have to compile and run themselves? Yes, there was uuencode, but that was about as cumbersome as sending source code and it was rarely used in email anyways. But no, people had to have their wiz-bang toys that required one-click running of code that you didn't really know the source of--and here we are.

Re:Your Bank Account is Locked (1)

AliasMarlowe (1042386) | more than 2 years ago | (#37430376)

Yes, there was uuencode, but that was about as cumbersome as sending source code and it was rarely used in email anyways.

For fairly large values of "rare", as I recall it. Using uuencode, possibly splitting a tar across several messages (to avoid filters), was common in the 80's because it was much less hassle than setting up an ftp site and sending login details for a one-time exchange. Also, the standard response to spam in the 80's (yes, it actually existed) was to send a few MB of core dump or other random binary in response, because the cretins usually used their own email addresses. That all changed in the 90's, and not always for the better.

Re:Your Bank Account is Locked (0)

Anonymous Coward | more than 2 years ago | (#37431696)

GP is discussing the ability of any host to spam at will once compromised. You are discussing email as an infection vector.

Re:Your Bank Account is Locked (2)

istartedi (132515) | more than 2 years ago | (#37431740)

It's the same system that was designed when there were 1,000 computers on ARPANET.

Sometime after that, Netscape decided that HTML would make mail look pretty. The rest is history.

I remember being on some mailing list when this started. The admins put instructions to disable HTML in the FAQ, and admonished posters who had it enabled. Alas, the windmills won.

Re:Your Bank Account is Locked (1)

DrBoumBoum (926687) | more than 2 years ago | (#37434176)

Mind you, HTML in an email message is in no way more dangerous than plain text; it looks prettier and that's it.

Re:Your Bank Account is Locked (0)

Anonymous Coward | more than 2 years ago | (#37434574)

Plaintext rendering is trivial. When you open the door to HTML rendering and plugins, the attack surface is not mere percentages larger; but orders of magnitude.

Playin' the game. (1)

Anonymous Coward | more than 2 years ago | (#37429970)

Capitalism. Gotta love it. Of course, this particular guy is frowned upon because he isn't a megacorporation doing it on much larger scales.

Re:Playin' the game. (0)

Anonymous Coward | more than 2 years ago | (#37431478)

Your intellectually dishonest misuse of the word "capitalism" reveals you to be a morally bankrupt Marxist. Capitalism is merely private ownership of the means of production, operated for profit. It does not in any way countenance fraud. But Marxists do, as their plan is and has always been very simply to corrupt Capitalism in every possible way, then blame the resulting catastrophe on Capitalism. Who do you think is responsible for the banksters not paying the price for their crimes? For not even having their firms bankrupted? Only the government (under both the moron Bush Jr. and the devious Obama) could accomplish this injustice, since the free market would have had the Lloyd Blankfeins and his cohorts all carrying "will work for food" signs on the corners of Wall Street just like they deserve, and just like true Capitalists want to see happen to them. Only the Marxists want otherwise, so they can continue to simultaneously support and demonize "the rich" while continuing to enable the fraudsters to commit their crimes because they fully intend to render the people penniless debt slaves so that the people will clamor for socialism. I pity the rich who earned their wealth honestly, and created most of the jobs that we all occupy in the process. The only sensible thing to do anymore for anyone who has any sort of capital, is to get the heck out of this country with your riches while you still can.
      I have seen a nation in which there are almost no social welfare programs whatsoever, and there is hardly any severe poverty, where food and abundance is pouring out of every crack of society, and where the lack of corporatism has allowed the people to retain all farm land ownership in the hands of individual families, so that even if the industrial economy crashes, they can just go back to the farm and watch the rice grow. At least they won't ever starve. And a teenage kid standing on the street selling a cheap snack, permitted thanks to barely any regulations of anykind, had his pockets literally stuffed with cash and could easily pay rent and feed himself for working 6 hours a day.
      But I won't tell you which nation it is, lest the liberals try to invade with their covert tentacles and corrupt the free market and prosperity that thrives there.

Re:Playin' the game. (0)

Anonymous Coward | more than 2 years ago | (#37432902)

Hi, Rand.

Re:Playin' the game. (1)

IonOtter (629215) | more than 2 years ago | (#37433936)

Don't worry, nobody is going to be invading Somalia any time soon. We're leaving it allllll to you, for you and your own personal enjoyment.

Re:Playin' the game. (1)

tehcyder (746570) | more than 2 years ago | (#37439076)

Capitalism is merely private ownership of the means of production, operated for profit. It does not in any way countenance fraud. But Marxists do

Yes, it's perfectly obvious that all those guys at Enron and Lehman Brothers were actually Marxists

In fact, the Communists now contol everything, so they have already won, and the Western world is nothing more than a giant Stalinist gulag, where the so-called proletariat are in fact the prison camp guards safe with their free medical care and unemployment benefits, and the squirming, hard-working inmates are all the poor billionairres who are forced AT GUNPOINT to pay several thousand dollars tax a year each.

DO%lL (-1)

Anonymous Coward | more than 2 years ago | (#37429994)

2.5 mm, lunch money for our neogod rulers (0)

Anonymous Coward | more than 2 years ago | (#37430046)

so the most important thing is to focus on stuff that really doesn't matter at all?

  stuff that might matter; (which now includes avoiding; starving, drowning, burning up etc....); http://climaterealityproject.org/video/hour-24-new-york/

the hymenology council advises that there's more flappage contentions, causing the need for the neogods to attempt to re-write fake history, & science, yet again. the whore of babylon remains under the care of the council's counsel, as do the papers of challenge she carries.

can anyone guess the carbon footprint of just 8 simultaneous wars? you'd have to, because the mess we make is never included in the holycosters assessments of the glorious victories (for who?) always just within our grasp. see you on the other side of it?

disarm. read the teepeeleaks etchings, or watch the movie (unrepentant). be more careful of/for one another. for each of the creators' innocents harmed in any way....

always look for the real motives of the presenter, whomever it may be..... thanks again.

What? (0)

Anonymous Coward | more than 2 years ago | (#37430070)

90 is a handful now?

Re:What? (1)

theArtificial (613980) | more than 2 years ago | (#37430082)

Yeah, haven't you ever picked up a globe!?

Diablo 3 (0)

Mike Mentalist (544984) | more than 2 years ago | (#37430108)

Does that mean I didn't get accepted into the Diablo 3 pre-release beta then?

I have been practising with my CLICKCLICKCLICK finger for days.

Where was the money sent? (1)

Khoa (935586) | more than 2 years ago | (#37430176)

If his profits reside in a single account (or many accounts?) all his... Couldn't this be used to potentially track him?

But how to make money?? (1)

bwave (871010) | more than 2 years ago | (#37430330)

Ok, I understand if you comprimise a PayPal account, you could transfer money to another Paypal account and withdraw. And that you can sell the information perhaps... But other than that, how can these people make money from a Botnet? Maybe could apply for credit card with person's info, but that seems slow. The article said what $17,000 a day. And as far as transferring money, seems risky, as someone had to setup the account transferred into.

Re:But how to make money?? (1)

definate (876684) | more than 2 years ago | (#37431466)

Setup a merchant, possibly in another country, and use those cards on that merchant.
If you've got those details, transfer via western union, their bank, or similar.

Beyond that, this does sound like a high number. Though, given how much banking is done online now, if the botnet is setup to sniff their login and password for their bank website, they can use this and the banks website to move whatever money they want.

Obviously... (1)

Mashiki (184564) | more than 2 years ago | (#37430594)

A lot of us are in the wrong business. The world is full of stupid people, and we could simply tell them to hand us money hand over fist.

Re:Obviously... (0)

Anonymous Coward | more than 2 years ago | (#37430948)

More true than you know.

Father was selling a car. He listed 4000. He told me "i will come down to 2500 when some one offers it". Lady shows up and just writes out a check for 4k.

Moral? People dont know how the game is played. Some dont care. Some have no concept of what 1 dollar does and doesnt do.

There are *LOTS* of people willing to hand over money. Not because they are 'stupid'. But because they are lazy and dont look around a bit.

Re:Obviously... (0)

Anonymous Coward | more than 2 years ago | (#37431926)

More true than you know.

Father was selling a car. He listed 4000. He told me "i will come down to 2500 when some one offers it". Lady shows up and just writes out a check for 4k.

Moral? People dont know how the game is played. Some dont care. Some have no concept of what 1 dollar does and doesnt do.

There are *LOTS* of people willing to hand over money. Not because they are 'stupid'. But because they are lazy and dont look around a bit.

I never try to get a person to lower the price. If I wanted the car and he advertised 4000 and I thought it was worth it, I would give him 4000. If I only had 3800 to spend, I would not even try. People need to put want they want, I don't play games.

Re:Obviously... (1)

IonOtter (629215) | more than 2 years ago | (#37433956)

I suggest you don't go to any country where haggling is the norm, and *not* haggling is considered an insult.

Re:Obviously... (1)

tehcyder (746570) | more than 2 years ago | (#37439132)

I suggest you don't go to any country where haggling is the norm, and *not* haggling is considered an insult.

Oh come on, if you go to a country that traditionally haggles, and just pay them what they ask, they're not going to refuse your money, and they're not going to be insulted that the stupid rich foreigner paid three times what something was worth. .

Re:Obviously... (0)

Anonymous Coward | more than 2 years ago | (#37433860)

Why not list the car at a reasonable price rather than take advantage of someone? Oh, life's a game is it, and the goal to get one over on other people?

I'd take a 100 stupid people in this world over one person like your father.

Re:Obviously... (1)

tehcyder (746570) | more than 2 years ago | (#37439088)

A lot of us are in the wrong business. The world is full of stupid people, and we could simply tell them to hand us money hand over fist.

If you see nothing morally objectionable in being a con man, go ahead.

Foo-ster (0)

Anonymous Coward | more than 2 years ago | (#37430814)

Anyone else think, oh wow, a new tech company is succeeding in a recession?

Your math appears to be off.... (1)

AndrewX (680681) | more than 2 years ago | (#37430858)

"...there were a handful of victims in 90 other countries..."


A handful of victims in 90 countries? What were they victims of, dismemberment?

Fraudster (1)

christurkel (520220) | more than 2 years ago | (#37431270)

Did anyone else read "Fraudster" and thought it was a new social network?

Re:Fraudster (1)

tehcyder (746570) | more than 2 years ago | (#37439138)

Did anyone else read "Fraudster" and thought it was a new social network?

I've signed up, it was only a hundred quid for a lifetime's subscription!

I expect my membership book and badge any time now.

Silly programmer (0)

Anonymous Coward | more than 2 years ago | (#37431366)

You should have started a company before you infected everyone with your nasty software.

It worked for sony. It can work for you too.

Be thankful for Windows (0)

Anonymous Coward | more than 2 years ago | (#37432050)

If it wasn't for the ubiquitous nature of Windows these guys would be making their malware of other OS.
Think of windows users as a giant honeypot.

Re:Be thankful for Windows (1)

Alex Belits (437) | more than 2 years ago | (#37433372)

If it wasn't for the ubiquitous nature of Windows these guys would be making their malware of other OS.

And they would fail on all other systems, anyway. Other systems have bugs. Windows is insecure, and this insecurity is unfixable by design.

Re:Be thankful for Windows (1)

Kalriath (849904) | more than 2 years ago | (#37436558)

Other systems have users, which makes them just as vulnerable. A program only needs to be running in userspace to host a website on a weird port, send millions of emails, or intercept what the user is doing and send screenshots to Nigeria.

Quit with the stupid fallacy.

Re:Be thankful for Windows (1)

Alex Belits (437) | more than 2 years ago | (#37437988)

A program running as user, does not survive rebuilding the user's directory. And with proper security (such as apparmor) it is confined to its own (not even user's) files.

On Windows, compromise anything and you have compromised everything -- privilege escalation is a given.

Re:Be thankful for Windows (0)

Anonymous Coward | more than 2 years ago | (#37439384)

A program running as user, does not survive rebuilding the user's directory

On a desktop /home is more important than /bin. This is exactly what Linux cheerleaders don't get. They are thinking at the kernel level. X.org crashed ? Who cares ! As long as I can execute uptime and get a good number, the rest is irrelevant.

And with proper security (such as apparmor) it is confined to its own (not even user's) files.

App armour is broken shit because you rely on app developers or distro maintainers to secure their own apps rather than the OS actually securing it by default. Nobody is going to maintain rules for every single app. I guess given the limited apps on Linux its probably maintainable at present scale. Which is cute. Got a serial printer? Guess what?! Lets deny CUPS access to /dev/ttyUSB. Yay.. more security!! Perfect for grandma !!

On Windows, compromise anything and you have compromised everything -- privilege escalation is a given.

Untrue. Facts tell us that Linux has had MORE security bugs than the NT kernel in recent times. But hey.. don't worry about facts just go on with your propaganda.

Re:Be thankful for Windows (1)

Alex Belits (437) | more than 2 years ago | (#37451842)

On a desktop /home is more important than /bin. This is exactly what Linux cheerleaders don't get. They are thinking at the kernel level. X.org crashed ? Who cares ! As long as I can execute uptime and get a good number, the rest is irrelevant.

Home directory can be safely backed up and restored in minutes, and should not contain anything executable in the first place -- it should be mounted with noexec option unless the user is interested in development. While out of the box Ubuntu won't do that for you, it's easily doable.

The whole system can not have an easy recovery procedure or simple workaround against executable content -- once there is a suspicion that anything is modified, you have to have known clean system, and your backup has to bring OS and applications into the condition that allows all updates since the moment of backup to be applied, and all un-committed state has to be cleanly restored or discarded to maintain consistency. Windows user, no matter how knowledgeable, can't fix that on something as complex as Windows desktop with various third-party software installed.

App armour is broken shit because you rely on app developers or distro maintainers to secure their own apps rather than the OS actually securing it by default.

Apparmor is independent of the OS security, it prevent applications' security bugs from causing problems with something application is allowed to do according the OS security model. Such mechanism, if implemented, has to be configured per-application, and would be meaningless otherwise.

Nobody is going to maintain rules for every single app.

Distributions maintainers do a pretty good job at this, and users or administrators can add their own rules whenever necessary.

I guess given the limited apps on Linux its probably maintainable at present scale.

Your guess is wrong...

Which is cute.

...and your arrogance is misplaced. Debian and Ubuntu maintain their repositories better than anyone anywhere maintained any collection of software.

Got a serial printer?

For at least 20 years there are no serial printers in production.

Guess what?! Lets deny CUPS access to /dev/ttyUSB. Yay.. more security!! Perfect for grandma !!

If grandma managed to install a serial printer, I am sure, she can edit /etc/apparmor.d/usr.sbin.cupsd file that lists, among other things, devices accessible by cupsd. At very least, Linux has common driver model that allows multiple incompatible devices to be handled by one program using the same, actively maintained code. To support an obsolete printer in Windows, one would have to go to a warez site, and download something that was last updated in 1996.

Untrue. Facts tell us that Linux has had MORE security bugs than the NT kernel in recent times. But hey.. don't worry about facts just go on with your propaganda.

What the Hell are you talking about? Windows security is mostly plagued by problems that would have nothing to do with kernel -- if not for the fact that they stem from the fact that Windows does not have efficient and secure IPC mechanisms. Windows still can't provide an efficient interface to anything without exposing guts of all objects and data structure through it -- if bad security implementation won't break this, someone's illiteracy in data structures handling, or bad, object-leaking algorithm, definitely will. That's what would happen if Unix had only shared memory and TCP sockets, with thick layers of fluff designed to make such a system usable.

Most Linux bugs wouldn't be even considered bugs in Windows -- they are local denial of service and occasional privilege escalation (none of which are actually in kernel). There usually isn't anything more than suspicion of exploitability before the bug is fixed. On Windows, no one would raise an eyebrow for anything less than remote compromise with administrator access, with proof of concept exploit delivered to Microsoft doors.

Re:Be thankful for Windows (0)

Anonymous Coward | more than 2 years ago | (#37455028)

...and your arrogance is misplaced. Debian and Ubuntu maintain their repositories better than anyone anywhere maintained any collection of software.

How is it misplaced? Take an educated guess at the number of apps on the windows platform. For e.g. qwindows 7 32bit can run 16bit apps from DOS, Win 3.1 era Count all of them and given the number of distro volunteers they wont ever have time to create rules for even 10% of the apps. My point is you would require several orders of magnitudes of competent staff to maintain a repo on the scale of windows applications.

At very least, Linux has common driver model that allows multiple incompatible devices to be handled by one program using the same, actively maintained code. To support an obsolete printer in Windows, one would have to go to a warez site, and download something that was last updated in 1996.

False. If printer supports postscript, pcl, and other common printer tech you can use a generic driver for that. You will not get access to advanced featuress of the printer though, but that is obvious.

What the Hell are you talking about?

You can look up any security databse. Bugs in the Linux kernel outnumber bugs in the NT kernel in recent years.

Ofcource I am being nice in only comparing bugs in the kernel. If we were to compare a default install of an average consumer linux distro vs any store bought computer that runs windows, it would be laughable. At this point Linux fans will point out that the number of applications shipped is greater with a linux distro. But so what? If you ship it you should take responsibility for it.

Windows still can't provide an efficient interface to anything without exposing guts of all objects and data structure through it -- if bad security implementation won't break this, someone's illiteracy in data structures handling, or bad, object-leaking algorithm, definitely will. That's what would happen if Unix had only shared memory and TCP sockets, with thick layers of fluff designed to make such a system usable.

I have seen more kernel panics and BSODs than I can count but I have never ever encountered the windows subsystem ever crashing on NT. You're full of shit. You have half-baked knowledge about NT design. Go and educate yourself. All the security features that Linux has bolted on ACLs/Apparmour/capabilities/etc have been in NT design since the start. You cannot even create a low privilege process token on Linux for server processes. You have to create ANOTHER USER ACCOUNT for that. Welcome to 20 years ago. You are forced to use unnessary things like chroot, setuid, capabilities (an unsable failure and dont even work with root user) and other bolted on stuff to get around crappy unix design to come on par with NT. Unix was good for its time, its a stupid design now. Nobody sane would even consider it as a valid design for inventing an OS at present.

Re:Be thankful for Windows (1)

Alex Belits (437) | more than 2 years ago | (#37455938)

How is it misplaced? Take an educated guess at the number of apps on the windows platform. For e.g. qwindows 7 32bit can run 16bit apps from DOS, Win 3.1 era Count all of them and given the number of distro volunteers they wont ever have time to create rules for even 10% of the apps. My point is you would require several orders of magnitudes of competent staff to maintain a repo on the scale of windows applications.

Repository maintenance != Your warez collection.

If you really care, DOS applications run on Linux just fine (and are sandboxed), however this has nothing to do with distribution maintainers keeping track of applications and their configuration -- including security settings. Indeed, that would be unthinkable in Windows world, when no one knows what exactly does he run and where does it come from.

False. If printer supports postscript, pcl, and other common printer tech you can use a generic driver for that. You will not get access to advanced featuress of the printer though, but that is obvious.

Except, of course, there is no infrastructure to reuse printer filters independently from port type, so those are the only printers supported. Even with network printing, it's a task of each client to generate the output in the format that can be sent directly to the printer. Great design, indeed.

You can look up any security databse. Bugs in the Linux kernel outnumber bugs in the NT kernel in recent years.

As I explained before, those are not the same kinds of bugs, and they are reported under vastly different standards of security research and disclosure.

Ofcource I am being nice in only comparing bugs in the kernel.

You mean, the part of Windows that no one would ever reliably attribute to any instance of successful exploit unless it happened in a lab while running under a hardware debugger?

If we were to compare a default install of an average consumer linux distro vs any store bought computer that runs windows, it would be laughable.

This is false.

At this point Linux fans will point out that the number of applications shipped is greater with a linux distro. But so what? If you ship it you should take responsibility for it.

What is it supposed to mean? Proprietary software vendors don't take responsibility for anything at all, least of all security of their software or any software that runs on their platform.

I have seen more kernel panics and BSODs than I can count but I have never ever encountered the windows subsystem ever crashing on NT.

Again, WTF are you talking about?

You're full of shit. You have half-baked knowledge about NT design.

There is no "NT design". There was a kinda-microkernel architecture of the original NT that was quickly drowned in ad-hoc stuff bolted on top of it. No one knows how much of it remains there, or what it does now.

Go and educate yourself

Where am I supposed to get any reliable information about Windows internals?

All the security features that Linux has bolted on ACLs/Apparmour/capabilities/etc have been in NT design since the start.

Linux has Unix security and IPC at its core. It also has various forms of containers that properly isolate sets of processes (and happen to do everything virtualization does except running a different OS). That's actual security. Filesystem ACLs are a worthless add-on that I have never ever seen being used on anything Unix-like because they are a stupid idea. If you have actual human users, their access has to be controlled by applications, not file permissions, and if "users" are actually applications, their access always fits into Unix user/group ID model. ACLs are a holdover from the time when file servers and multi-user computers with remote terminals were the only type of computers with shared access.

Apparmor is, indeed, a bolted on system that prevents mis-designed software from doing stupid things. In a properly designed and implemented system its restrictions should never be triggered in the first place, but our friends from Adobe and similar shit-writing companies make it necessary. It is not a core security mechanism, its purpose is mitigation of brokenness.

Capabilities? Are you fucking kidding me? Most of what capabilities cover in Linux is not even core functionality in Windows. Capabilities cover access to kernel functionality and only kernel functionality, because kernel is the only place where real security restrictions can be reliably imposed. Windows has amorphous model of everything accessing everything, so restrictions may be placed everywhere and still mean nothing. Only with effective IPC and communication infrastructure, when few processes actually need access to anything security-critical, there is any chance to keep something as chaotic as a desktop computer, secure. Only a tiny fraction of available possibilities are used by modern Linux desktops while Windows exceeded its own capacity for improvement a long time ago.

You cannot even create a low privilege process token on Linux for server processes.

Actually you can -- except those "tokens" don't have "high privilege" or "low privilege" access, they describe access to something in particular, and are passed over unix/local sockets.

You have to create ANOTHER USER ACCOUNT for that.

Oh, so THAT's what you are talking about??? I thought, you wanted an actual access tokens. User IDs are a correct solution, and usually the only correct solution for maintaining access, because they are recognized by all accesses to the kernel and can not be changed. Everything else may be mutable, but user ID of a process from exec*() to exec*() or _exit() can only be changed between "real" and "saved" IDs it had when started. They are not "accounts" intended for humans, they are one thing that always applies to a process.

As I said before, Unix security (processes, privileged operations, permissions) is real security while things like Apparmor are workarounds for mitigation of fuckups. In Windows, everything is a workaround, though some may argue, everything is a fuckup that acts as a workaround for previous fuckup.

You are forced to use unnessary things like chroot, setuid, capabilities (an unsable failure and dont even work with root user) and other bolted on stuff to get around crappy unix design to come on par with NT.

You don't seem to understand. Unix security is actually secure, it's a fundamental part of the OS design. Something has to be terribly, terribly wrong if a process with a non-privileged user can access anything that is only accessible to another user. This is why all Unix security privilege escalation bugs are from broken server programs (that now are increasingly moved to unprivileged user IDs) and setuid executables (that were cleaned up long ago). What Windows has is "security features", an ad-hoc mess that looks like OS security implementation, but has to be constantly broken for anything to actually work, and therefore is worthless.

Unix was good for its time, its a stupid design now. Nobody sane would even consider it as a valid design for inventing an OS at present.

Unix is the best OS design ever made. If Microsoft didn't hold up development of computer software at a near standstill for at least three decades, it would be possible that a better OS design emerged, however such a thing did not happen, and is unlikely to happen until at least 4-5 decades will pass after Microsoft software will be forgotten. For now, there are two types of operating systems -- Unix-like and worthless shit. Windows is firmly in the second category.

Re:Be thankful for Windows (0)

Anonymous Coward | more than 2 years ago | (#37458042)

You mean, the part of Windows that no one would ever reliably attribute to any instance of successful exploit unless it happened in a lab while running under a hardware debugger?

Well one way is to see the frequency with which the kernel binary is patched. A ton of malware is created after a OS patch is pushed (since most people run unpatched versions of windows anyway) . You can easily diff the patched binary and understand the code that was patched and create a working exploit.

What is it supposed to mean? Proprietary software vendors don't take responsibility for anything at all, least of all security of their software or any software that runs on their platform.

What I meant was if you do a total bug count of a fresh Windows install with a fresh Linux install, the linux install will have a higher bug count because of all the 3rd party crap that comes with it.

There is no "NT design". There was a kinda-microkernel architecture of the original NT that was quickly drowned in ad-hoc stuff bolted on top of it. No one knows how much of it remains there, or what it does now.

Where am I supposed to get any reliable information about Windows internals?

Read Inside Windows NT , or The NT Design Workbook

http://www.facultyresourcecenter.com/curriculum/BZ/pfv.aspx?ID=7401 [facultyres...center.com]

If you want acess to the source code of windows you can easily get it if you're taking any computer science course in college/grad school or know anyone who does. But ofcource reading tons of implementation code to understand high level design would be a huge waste of time. I have it on my PC right now. I believe its a live snapshot of an XP era kernel from 2003.

Linux has Unix security and IPC at its core. It also has various forms of containers that properly isolate sets of processes (and happen to do everything virtualization does except running a different OS). That's actual security.

By design "UNIX Security" is nothing more than enforcing simplistic rwx permissions of files and mapped devices, etc. Process isolation is just the the MMU doing its job. Which is ironic because original UNIX was targeted for single processor with a swap file & no virtual memory. NTs object/token design is vastly superior to anything the unix based operating systems have come up with. Using basic NT functionality you can take any running process token and reduce its rights (for e.g. reading/writing to a specific folder or controlling any other I/O) dynamically.

Chrome uses this security model quite effectively for its sandboxing. Ofcource they had to re-do it for Linux because it doesn't have nay such security model by design. (unless the distros ship the bolted on crappy 'security' solutions)

Filesystem ACLs are a worthless add-on that I have never ever seen being used on anything Unix-like because they are a stupid idea.

Its only stupid on unix. On NT ACLs are a core design feature of the OS. It can be applied to anything - kernel objects, devices, even registry keys.

their access always fits into Unix user/group ID model.

No it does not. OK so I am a team lead for two teams and I want to give read access to spec documents to 5 members of team1 and 3 members of team2 and read-write access to only 2 persons one of each team. Under unix, the system administrator has to give me root password to create groups, etc which is retarded and a huge security hole.

Capabilities? Are you fucking kidding me?

Yes, they are a joke on Linux ! It has been pointed out more than once. Here is an example.

http://forums.grsecurity.net/viewtopic.php?f=7&t=2522 [grsecurity.net]

20 out of 35 capabilities offerd on linux provide no more security than setuid as root. Unix design is fundamentally broken for advanced security features.

User IDs are a correct solution, and usually the only correct solution for maintaining access, because they are recognized by all accesses to the kernel and can not be changed. Everything else may be mutable, but user ID of a process from exec*() to exec*() or _exit() can only be changed between "real" and "saved" IDs it had when started. They are not "accounts" intended for humans, they are one thing that always applies to a process.

There should be no need to creating more and more user accounts when all you need is a priviledge based process security model that NT has.

Unix is the best OS design ever made.

Haha. I have no problem with you being a Linux cheerleader, its quite fun actually. Once you learn more about NT you will realize how much unix design sucks.

Re:Be thankful for Windows (1)

Alex Belits (437) | more than 2 years ago | (#37462494)

Well one way is to see the frequency with which the kernel binary is patched. A ton of malware is created after a OS patch is pushed (since most people run unpatched versions of windows anyway) . You can easily diff the patched binary and understand the code that was patched and create a working exploit.

No one does it on Windows -- there are plenty of low-hanging fruits, thanks for lack of secure design even when kernel works exactly as intended.

What I meant was if you do a total bug count of a fresh Windows install with a fresh Linux install, the linux install will have a higher bug count because of all the 3rd party crap that comes with it.

And most of that is not a security threat. In Windows, things like denial of service or potentially exploitable problems don't even show up on the radar. On Linux every instance of buffer overflow is automatically marked as "potentially executes arbitrary code" and is instantly fixed without questions. Following your logic, the most secure version of Windows is Windows 95 because nothing was actually reported or acknowledged by Microsoft for it.

Read Inside Windows NT , or The NT Design Workbook

http://www.facultyresourcecenter.com/curriculum/BZ/pfv.aspx?ID=7401 [facultyres...center.com] [facultyres...center.com]

Judging by the table of contents, it's not an OS design or implementation document, it's a random set of specifications, used somewhere by its kernel. They have no effect on anything that does anything of importance in Windows. I am sure, Windows at this point can be transferred to XNU or rebuilt on top of Linux, or, say, OpenBSD, and it would suck approximately as much.

If you want acess to the source code of windows you can easily get it if you're taking any computer science course in college/grad school or know anyone who does. But ofcource reading tons of implementation code to understand high level design would be a huge waste of time. I have it on my PC right now. I believe its a live snapshot of an XP era kernel from 2003.

It's only good tool for keeping people who are interested in it, yourself included, away from any other OS design.

Well-designed systems, of course, have readable and usable source.

By design "UNIX Security" is nothing more than enforcing simplistic rwx permissions of files and mapped devices, etc. Process isolation is just the the MMU doing its job. Which is ironic because original UNIX was targeted for single processor with a swap file & no virtual memory. NTs object/token design is vastly superior to anything the unix based operating systems have come up with. Using basic NT functionality you can take any running process token and reduce its rights (for e.g. reading/writing to a specific folder or controlling any other I/O) dynamically.

Again, you don't understand. First of all, things that you are talking about are "security features". Bells and whistles that do not actually provide any security, but allow creating all kinds of restrictions that in reality mean nothing. Second, Unix security can be simple because Unix does not have multiple type of objects and interfaces -- it has one, and such object is file descriptor. File permissions are only relevant when file, device or sockets are opened -- from system security point of view that procedure is not fundamentally different from, say, establishing TCP connection, exchanging keys and communicating over it using some encryption. At that point, the important things worth protecting are file descriptors because they represent somehow authenticated connections.

HTTP client's session may be completely un-authenticated, while sysadmin logged in over SSH may be authenticated and have unlimited access to the system, however, contrary to their name, there are no files or permissions in sight, even though in both of those examples the entity representing a connection is a file descriptor -- this seems to confuse Windows fanboys such as yourself, because you never bothered to study how system actually works. MMU/virtual memory is necessary for this to be implementable, however its role is very limited. MMU will happily prevent access from one process' address space to another, despite both processes having full access to each other -- it's a resource management and representation mechanism, not a security mechanism.

Chrome uses this security model quite effectively for its sandboxing. Ofcource they had to re-do it for Linux because it doesn't have nay such security model by design. (unless the distros ship the bolted on crappy 'security' solutions)

A process is a lightweight unit on Unix-like system and heavyweight unit on Windows. Thanks for abysmal interprocess communication mechanisms in Windows, this forever wil be true. Multiple processes as a part of high-performance parallel applications were running on Unix before the concept of "thread" was invented. As more complex process/thread/scheduler/VM models were developed, it was Unix-like system, in particular Linux, that allowed to use a single model for the whole range of applications from desktop to servers without any tweaking, and with all combinations of access restrictions imaginable. Windows design focuses on little tricks to make UI look snappier and make MS SQL Server respond faster, while Linux never had to resort to such tricks. If anything, design of Chrome is based on Unix security and resource allocation model that was shoehorned into Windows.

Its only stupid on unix. On NT ACLs are a core design feature of the OS. It can be applied to anything - kernel objects, devices, even registry keys.

It's stupid because it is the wrong solution. The only situation not covered by Unix permissions is one when a file has to be writable for one set group of users (or user-like entities represented as users) and readable by another. Guess what -- this is insecure and unreliable. If there is shared write access, it has to go through an arbitration mechanism or a service that does something useful and happens to perform user access handling along the way. Version control systems, Wiki, databases, device access, remotely accessible services -- none of those things can be effectively implemented through chunks of data with ACLs attached to it, all have their own permission model and specific actions performed to provide integrity, limit access and resolve conflicts. File and resource ACLs are at the same level as "file as a set of records" or "OS provides each process a virtual machine that imitates hardware OS running on" -- clever-sounding but impractical ideas that were rejected by users a long time ago when superior alternatives were developed. No one even uses them on Windows anymore, except for "big messy pile of files" servers -- and only because Windows users are too stupid to use a version control system.

No it does not. OK so I am a team lead for two teams and I want to give read access to spec documents to 5 members of team1 and 3 members of team2 and read-write access to only 2 persons one of each team. Under unix, the system administrator has to give me root password to create groups, etc which is retarded and a huge security hole.

You are an idiot if you handle this by giving users write access to shared files. This is what version control systems are for, and none of those require root access to be managed. User authentication for such system, obviously can be handled through keys stored on a filesystem, however it would take a special kind of idiot to allow shared access to authentication keys.

Yes, they are a joke on Linux ! It has been pointed out more than once. Here is an example.

http://forums.grsecurity.net/viewtopic.php?f=7&t=2522 [grsecurity.net] [grsecurity.net]

20 out of 35 capabilities offerd on linux provide no more security than setuid as root. Unix design is fundamentally broken for advanced security features.

I see, you don't realize that the whole article describes capabilities in a context of entirely imaginary application that does not exist in reality. Capabilities are useful as a fix for an earlier design that restricted things too much and required a process to run as root at some point to get access to some common functionality such as establishing (not even being) a server on a privileged port. Capabilities do not remove programmers' responsibility to drop permissions as soon as application design allows it to happen. A bug with "arbitrary code execution while running with elevated privileges" in its description is never going to be safe or excusable, however Linux allows programmer to limit the amount of code that runs under such privileges and yet enforce a sane security model. Most security-critical applications, such as database servers and version control systems, don't even have elevated permissions as far as OS is concerned, applications that manage their backups do.

There should be no need to creating more and more user accounts when all you need is a priviledge based process security model that NT has.

You have an idiotic Windows-centric idea of what "user account" is, and how clearly defined user ID handling provides robust system security while anything else does not. Your example with users writing over each other's files just because they are supposed to have write access to something, demonstrates how you fail to recognize what is reliable and practical. You are in a good, or at least large company though -- no one at Microsoft understands it, either.

Haha. I have no problem with you being a Linux cheerleader, its quite fun actually. Once you learn more about NT you will realize how much unix design sucks.

"NT" is a an old, failed kernel design. Windows how it existed in NT days, and how it exists now, is a disgusting growth on that mediocre foundation.

Re:Be thankful for Windows (1)

Kalriath (849904) | more than 2 years ago | (#37449806)

I was going to reply, but the AC nailed it already. Users don't give a crap whether "Calculator.exe" gets infected with a virus. They do give a crap when "Jimmy at the beach.jpg" gets infected. Who cares about the system, the user's files are the irreplaceable data! Linux people constantly talk about how you can just blow away the user's home folder to sort out virus issues on Linux. Guess what, blowing away "My Pictures" is a ten million times harder sell to a user than blowing away "System" - and to be honest I can't blame them.

App Armour sounds like a giant pain in the ass- app sandboxing done right is great, but I've yet to see it done right.

And frankly, privilege escalation is most certainly not a given. Yes, there's been some stupidly simple vulnerabilities (GDI cursor escalation anyone?) but at this time I know of no PE vulns on Windows.

Re:Be thankful for Windows (1)

tehcyder (746570) | more than 2 years ago | (#37439160)

If it wasn't for the ubiquitous nature of Windows these guys would be making their malware of other OS.

And they would fail on all other systems, anyway. Other systems have bugs. Windows is insecure, and this insecurity is unfixable by design.

Nothing is perfectly secure in a world where there are clever criminals and ordinary users

All the social engineering tricks to get information are independent of what fucking OS you're using.

punishment for theft in Islam (-1, Redundant)

mapkinase (958129) | more than 2 years ago | (#37432070)

As everybody knows, punishment for theft in Islam is amputation of the right hand.

insert scareware from Trendmicro .. (0)

Anonymous Coward | more than 2 years ago | (#37432248)

"His botnet was able to compromise approximately 25,394 systems [trendmicro.com] .. SpyEye was built specifically for Windows systems and Windows XP led the way, making up 57% of the compromised computers. Despite its improvements in security, there were nearly 4,500 compromised Windows 7 computers"
Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>