Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Throttling Computer Viruses

michael posted more than 10 years ago | from the slow-down-cowboy dept.

Security 268

An anonymous reader writes "An article in the Economist that looks at a new way to thwart computer viral epidemics, by focusing on making computers more resilient rather than resistant. The idea is to slow the spread of viral epidemics allowing effective human intervention rather than attempting to make a computer completely resistant to attack."

cancel ×

268 comments

Sorry! There are no comments related to the filter you selected.

FP! (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#4731573)

Sux0r it, beotches!!!!!!!!!

slow the spread of viral epidemics (5, Funny)

batemanm (534197) | more than 10 years ago | (#4731579)

Okay everyone back to 2400bps modems :-)

Re:slow the spread of viral epidemics (5, Funny)

MImeKillEr (445828) | more than 10 years ago | (#4731783)

2400 bps is too fast.

Everyone drop your baudrate to 110.

Just for laughs, we used to get stoned and call a multi-line chat board here in Austin, Tx (long live AfterHours, R.I.P. Tombob). We'd drop our baudrate to 300 or 110. and attempt to have coherent conversations while inebriated.

Yeah, pathetic but the internet wasn't available to the public yet and we were young and st00pid.

Re:slow the spread of viral epidemics (2)

CoolVibe (11466) | more than 10 years ago | (#4731786)

I can top you on that... I think I still have my 300 baud acoustical modem (the one you put the phone on, with the rubber lippy things) somewhere in my attic...

:) (no really, I really still got it stashed somewhere...)

fp (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#4731591)

fp

turd post (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#4731593)

but you still suxx0r.

My dream! (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#4731772)

Last night I dreamt that I was in Russia. For some reason I had been made a high level official and someone was trying to assassinate me. Yet, there were meetings I had to go to, so the Russians arranged spetznaz troops for my protection. Great dream!

Just thought you'd like me to share it with you...

FUCKING MORON (-1, Troll)

Anonymous Coward | more than 10 years ago | (#4731828)

Why the fuck do you think anyone here would be interested in your dreams?!?!?!

AARRGHH... there's nothing quite as boring and outright embarrasing as being forced to listen to someone else's dreams.

IN SOVIET RUSSIA (0)

Anonymous Coward | more than 10 years ago | (#4731884)

We would turn you in to the KGB and take bets on how long it would be before you died in the Gulag.

Re:IN SOVIET RUSSIA (0)

Anonymous Coward | more than 10 years ago | (#4731915)

Why would you turn a high level official in to the KGB -- even IN SOVIET RUSSIA?

Blah blah blah (-1, Redundant)

Anonymous Coward | more than 10 years ago | (#4731594)

Sounds like someone doesn't know what he's talking about...

These are ones and zeroes, people, not biological organisms. They are either hindered or not by defenses. There is no in-between.

I have a brilliantly original idea (5, Insightful)

ekrout (139379) | more than 10 years ago | (#4731595)

Start writing secure software!

I'm not joking. The #1 rule of computer science is that computer scientists are lazy.

We need to stop working just to accomplish the minimal functionality desired and start testing the hell out of our software to ensure that it's secure.

Re:I have a brilliantly original idea (4, Interesting)

gorilla (36491) | more than 10 years ago | (#4731612)

You have to seperate computer scientists, who research basic principles, with programmers, who implement those principles in available packages. No computer scientist would recommend that your develop an OS without memory protection, nor try to simulate multipe users on a system without file ownership. It didn't stop Microsoft.

Have fun! (0)

Anonymous Coward | more than 10 years ago | (#4731715)

I think we should go back to having fun hacking up new programs and having a hell of a time debugging them instead of just throw it out for money so the consumer can just buy it and it get rated like crap or midgrade to another program and becomes another victim

Re:I have a brilliantly original idea (1, Insightful)

Anonymous Coward | more than 10 years ago | (#4731641)

In order to accomplish this, we need to get the corporate fat cats to give us reasonable deadlines.

They're philosophy is "get the product out as quick as possible so I can get my new (insert expensive car/truck/boat/plane here). We can easily put out a service pack afterwards to fix any major problems users report to us." I think M$ lives by this philosophy!

Re:I have a brilliantly original idea (-1, Flamebait)

Anonymous Coward | more than 10 years ago | (#4731684)

Stop giving me excuses and start writing correct code. Your lazy slacker attitude isn't good for the world of computing.

Re:I have a brilliantly original idea (5, Funny)

vidnet (580068) | more than 10 years ago | (#4731669)

Yeah ok......starting tomorrow.

Re:I have a brilliantly original idea (3, Insightful)

FortKnox (169099) | more than 10 years ago | (#4731698)

There's always a hole that cannot be planned. In complex systems, bugs and leaks are bound to be found, regardless of how much attention you pay.
Plus, you usually have to balance security with user friendliness (putting on flame retardent jacket). Simply adding users vs root is a hassle for your average (home) user. People need to understand security to be willing to put in secure methods. Lets face it, people just want crap to work right now. They turn off security measures (like firewalls) to get something to work (like a game), then don't turn them back on so they don't have to deal with it the next time they try to play that game.

Re:I have a brilliantly original idea (5, Insightful)

cyborch (524661) | more than 10 years ago | (#4731837)

There's always a hole that cannot be planned.

True, but why do people have to keep writing programs with static buffer sizes? I cannot think of one single acceptable excuse to write a piece of software where a buffer overflow can happen.

If user input is in any way involved - directly or indirectly - then you need to test it before you accept it! There is no exuse!

Buffer overflows is not the only security issue with software, but the principle behind preventing it applies to most of the security issues out there...

So, I have to agree with your parent poster: the people making the software are lazy!

Re:I have a brilliantly original idea (5, Informative)

FortKnox (169099) | more than 10 years ago | (#4731907)

True, but why do people have to keep writing programs with static buffer sizes?

I think it isn't that people WRITE programs with static buffers now-a-days as much as it is that people who maintain old software don't fix the static buffers.

Plus I could also argue what is more important to the program? Static gives me knowledge of the maximum size of memory used, if that knowledge is required. Searching is faster in arrays than linked lists (although replacing, on average, is slower). Don't assume that static buffers are ALWAYS wrong.

Re:I have a brilliantly original idea (-1, Troll)

Anonymous Coward | more than 10 years ago | (#4731874)

There's always a hole that cannot be planned.

This is so very true [telegraph.co.uk] ...

Re:I have a brilliantly original idea (1, Insightful)

Anonymous Coward | more than 10 years ago | (#4731727)

We need to stop working just to accomplish the minimal functionality desired and start testing the hell out of our software to ensure that it's secure.

Such software is already here.

Two words: Open Source.

Re:I have a brilliantly original idea (0)

Anonymous Coward | more than 10 years ago | (#4731800)

Two words: Open Source.

I can't believe you haven't been MODDED UP yet!

Moderators. You know your duty!

Unfortunately... (1, Insightful)

Anonymous Coward | more than 10 years ago | (#4731728)

...it is rarely up to the implementors to decide. The project has a budget which is too little, and there is a schedule, which is too tight, and everyone else not in the project expects to see miracles.

Re:I have a brilliantly original idea (4, Insightful)

El Neepo (411885) | more than 10 years ago | (#4731744)

Being lazy = good.

If you write the simplest code you can that meet the requirements then more than likely its secure. It has no fancy tricks, its easy to see what its doing, therefore has less holes that need to be found.

Re:I have a brilliantly original idea (3, Informative)

redfiche (621966) | more than 10 years ago | (#4731758)

And the #2 rule is that hackers are not, so they'll probably find a way to break through your security if they really want too.

Seriously, this is a whole new way to think about security, and it has a lot of promise. Security systems will never be perfect, and if they are designed never to fail, the consequences of failure are likely to be dire. By managing the consequences of failure, you can best limit the effects of a determined attack. I think this is equally true of electronic security and physical security.

Re:I have a brilliantly original idea (5, Insightful)

janolder (536297) | more than 10 years ago | (#4731768)

Hate to rain on your parade, but there is ample evidence [microsoft.com] to suggest that quality has to be designed in rather than tested into the product later in the process. If your design is flawed, testing won't help a bit. If your implementation is riddled with bugs, testing will find 95% of them, but Murphy will ensure that you get bitten by the rest at the worst possible moment.

In this business, it's a tradeoff between quality and time to market. Up until recently, software purchasing decisions haven't been based on quality very much so the software producers have given the customer what he wants: Buggy product now.

Re:I have a brilliantly original idea (4, Interesting)

mseeger (40923) | more than 10 years ago | (#4731795)

We need to stop working just to accomplish the minimal functionality desired and start testing the hell out of our software to ensure that it's secure.

Everyone has two complaints about the software he/she uses:

  • It's not secure/stable enough
  • It doesn't have enough features

No one accepts, that the enhancement of one leads to a degradation of the other one. Cisco has a nice approach (at least they had it during my ISP days): There is a feature rich version and a stability oriented version. The pick is yours.

Martin

Re:I have a brilliantly original idea (1)

h0ss (562457) | more than 10 years ago | (#4731822)

I'm not joking. The #1 rule of computer science is that computer scientists are lazy.

Yeah, whatever.

Are you willing to PAY for secure software? How about the average user?

It's not just about "do security from the beginning", it also takes a lot more time to properly vett a system if you're going to say it's secure. I doubt the average software customer would be willing to double the amount they'd pay for software just for security. (This obviously would be a place to insert a comment about Free software, but I don't feel like it.)

Re:I have a brilliantly original idea (0)

Anonymous Coward | more than 10 years ago | (#4731933)

Why would I want to pay for secure software? I can get Linux and OpenBSD for free.

Technique (5, Insightful)

gurnb (80987) | more than 10 years ago | (#4731597)

Antivirus software makers are recycling some old tricks to combat computer viruses proliferating over the Internet.
The technique, called "heuristics," checks for suspicious commands within software code to detect potential viruses.

Heuristic techniques can detect new viruses never seen before, so they can keep malicious code from spreading. An older method, called signature-scanning, uses specific pieces of code to identify viruses.

Both methods have down sides. Heuristic techniques can trigger false alarms that flag virus-free code as suspicious. Signature-scanning requires that a user be infected by a virus before an antivirus researcher can create a patch--and the virus can spread in the meantime. Most antivirus vendors use both techniques.

It's time for the industry as a whole to look at different approaches The time-honored method of signature scanning is a little worn and weary given new viruses coming out

Autonomous anti-virus programs? (0)

Anonymous Coward | more than 10 years ago | (#4731636)

How about neural networks: unleashing self-learning and constantly evolving anti-virus programs on the (intra)net?

Hmm... Gibson's AI intrusion countermeasures coming to life?

human intervention (3, Insightful)

it0 (567968) | more than 10 years ago | (#4731600)

Doesn't current human interaction show that it only stimulates viral spreading , by opening emails and running stuff because it says "I love you" not to mention the spreading of emails "warning new virus delete file foo.exe?"

Re:human intervention (3, Interesting)

Ektanoor (9949) | more than 10 years ago | (#4731902)

Absolutely correct. It is amazing to see how people simply and roughly ignore warnings, rush to open letters with such amicable statements like "Love you", "You won!", "About our last discussion", "Concerning your message". Such mails are usually the basis for those huge burst of virus epidemics inside certain corporate networks. There are times when a new virus comes in and goes nearly unnoticed. However, when someone plays a little social engineering and sends some letter with a key phrase (cliche), one may see how panic rises inside the building in a matter of minutes. And it is curious to note that this really does not depend on the automatisms of the antivirus programs, the technicities of the admins or the experience of the users. It is a matter of network use and personal expectations. Some people overuse corporate systems for personal purposes, others use it for the majority of communications among colleagues and some see it as an escape hatch into a "virtual" world. Depending on the way such networks evolve, certain common cliches come up into frequent use. It is enough to send some E-Mail containing such cliche and a good exploit to see users storming the admins with complaints.

Personally, I have seen some interesting trojan epidemics on networks that are in no way connected to the Internet. There was a company that was terribly paranoid and allowed Internet use only and exclusively from a particular computer. This way they thought they could overcome problems with viruses they had in the past. There was a not so dumb admin that dealed with the E-mail, filtering it through antivirus tools, before copying it into a diskette and send it into the LAN. And you know? They kept having serious problems with viruses. Some deeper analysis showed that every trojaned E-Mail containing a corporate cliche inside the subject was always the cause for the next epidemics.

How's that again? (1)

pknoll (215959) | more than 10 years ago | (#4731601)

Sounds to me like a clever programmer could use this very feature as the payload. You don't need to DDoS your target machines if the throttle will effectively do it for you.

I must think on this.

Re:How's that again? (-1)

Anonymous Coward | more than 10 years ago | (#4731642)

Shuush! Stop stating the bleeding obvious, otherwise someone will notice and start thinking!

Re:How's that again? (1)

Ripplet (591094) | more than 10 years ago | (#4731711)

Read the damn article, the whole point is that it *doesn't* affect performance, except in an absolutely minimal way. The technique depends on the fact that the machine will behave differently once the virus attacks, and it's this different behaviour that is disrupted, *not* normal behaviour.

Re:How's that again? (2, Insightful)

pknoll (215959) | more than 10 years ago | (#4731815)

I did read the article. And then I looked beyond it. Keep in mind that no virus/worm has yet been written with throttle-equipped computers in mind.

Hackers/kiddies/whomever are annoyingly clever at times. My assumption is that someone may be able to take advantage of a throttle to compromise legitimate traffic.

Since that's what exploits are all about, I have absolutely no doubt someone will try it if such defenses become commonplace.

Re:How's that again? (2)

The Evil Couch (621105) | more than 10 years ago | (#4731792)

it's for users, not servers. how many users do you know that make more than 1 connection per second? a webpage with multiple linked images from different sites would be about the only thing I could think of off hand that a typical user would be looking at that would request more than one connection established per second.

No DoSing here. It's completely transparent to the guy in room 207 sending email or looking up stuff on the intranet.

Would probably work... (2)

Hammer (14284) | more than 10 years ago | (#4731929)

Actually the parent post talked about stopping DDoS.
A Distributed Denial of Service is done by hijacking many user boxes and from each bombarding a server with hundreds of bogus requests per second. This throttle would likely choke that (unless the server being DDoS'd is on this users list of known servers)

Micro$oft sponsored idea? (-1, Troll)

Anonymous Coward | more than 10 years ago | (#4731608)

Sounds like this could be a Micro$oft PR dept. sponsored idea.

After all, thet've been seriously hit by the recent critical holes in their systems and what better way to counter it than just making people believe that there's nothing that can be done to resist attacks. Just live with it.

Re:Micro$oft sponsored idea? (-1)

Anonymous Coward | more than 10 years ago | (#4731632)

mod parent BS POST down

Re:Micro$oft sponsored idea? (0)

Anonymous Coward | more than 10 years ago | (#4731674)

Oh, that's insightful. Instead of trying to discuss my suggestion you resort to calling my post "bullshit".

Nice going, turd for brains. No wonder Slahsdot's such a pile of shite these days.

The best way to throttle viruses (2, Interesting)

Anonymous Coward | more than 10 years ago | (#4731611)

is to launch global network monitoring, perhaps monitered by a reputable security company like mi2g. It would require nodes at pretty much all internet connections, of course, at could be costly, but the cost is miniscule compared to the savings. Then that company could record traffic and, once a virus propogates, backtrack through teh logs for the first time it appears. From there, we could find the originator and bring the full weight of the maw on him.

NOW we're talking! (4, Insightful)

Shoten (260439) | more than 10 years ago | (#4731613)

This is an excellent idea. For a long time the fight against computer viruses (as well as many other aspects of computer security) has been focused on winning or losing, period. Try to stop the virus, and that's it. But what about what happens when a virus gets through? Like almost all things in computer security, there hasn't been enough attention given to what happens if security fails. Bruce Schneier has been yelling from the mountain that security is as much about what happens when safeguards don't work as it is about making sure they do. The notion of being able to keep a virus in check to a certain degree is a good example of security that can fail gracefully when a new virus comes around.

This will of course lead to a new class of virus.. (5, Funny)

Unknown Bovine Group (462144) | more than 10 years ago | (#4731623)

The "annoy the user to death" virus.
You have a possible virus(mickeymouse variant 1a). Transmit to everyone in your address book?
No.
You have a possible virus(mickeymouse variant 1b). Transmit to everyone in your address book?
No.
You have a possible virus(mickeymouse variant 1c). Transmit to everyone in your address book?
No.
You have a possible virus(mickeymouse variant 1d). Transmit to everyone in your address book?
No. ARGH!

Re:This will of course lead to a new class of viru (0)

Anonymous Coward | more than 10 years ago | (#4731761)

Reminds me of a "game" inside a MUD I once played (god, that is sad. Better make this an anonymous post)
The computer tried to guess a number you had in your head. It went like this:
Is it 6?
>no
Is it 6?
>no
Is it 6?
>no
Is it 6?
>no
Is it 6?
>no
Is it 6?
>yes
AHAHAHAAAA! I WIN! YOU LOSE! I'M THE BEST!

Re:This will of course lead to a new class of viru (4, Funny)

CoolVibe (11466) | more than 10 years ago | (#4731845)

There is a slightier annoying version of that one already in existance. They killed it off not too long ago.

You might have heard of it, it was called "Clippy"

Re:The "annoy the user to death" has already hit! (2)

cyber_rigger (527103) | more than 10 years ago | (#4731856)

[Are you sure you want to do this]

[Are you certain]

[press enter to exit]

[press escape to continue]


The"annoy the user to death" virus has already hit!

One connection per second? (2, Insightful)

Malduin (207683) | more than 10 years ago | (#4731624)

Could you imagine how slow Slashdot would be at one connection per second? How well could this work on high traffic sites?

It would probably save other sites from being Slashdotted, though.

Re:One connection per second? (2, Informative)

/Wegge (2960) | more than 10 years ago | (#4731679)

Could you imagine how slow Slashdot would be at one connection per second? How well could this work on high traffic sites?


If you read the article, you'll see that the limit is on OUTgoing connections, not incomming traffic. In other words, this type of AV effort will not eliminate the slashdot effect.

Re:One connection per second? (1)

Pean (524414) | more than 10 years ago | (#4731682)

Good point. The only thing I can think that would help is

The idea, then, is to limit the rate at which a computer can connect to new computers, where "new" means those that are not on a recent history list.

Re:One connection per second? (1)

Unknown Bovine Group (462144) | more than 10 years ago | (#4731722)

I assume a server listening for inbound connections and responding to them would not be throttled, only one initiating outbound connections. Of course, this would be one thing that could be manipulated to "trick" the throttle.

Hope he doesn't patent this (2, Interesting)

FearUncertaintyDoubt (578295) | more than 10 years ago | (#4731646)

It could be of so much benefit to everyone in helping stop attacks (and make them not worth attempting, at least in their current form). But he's a researcher for HP, so I am guessing he will. Oh well.

I just got an image of him presenting his paper, and pointing to each audience member, "patent pending, patent pending, patent pending" ala Homer Simpson.

Not very sophisticated. (4, Insightful)

onomatomania (598947) | more than 10 years ago | (#4731660)

Article blurb:
The idea, then, is to limit the rate at which a computer can connect to new computers, where "new" means those that are not on a recent history list. Dr Williamson's "throttle" [...] restricts such connections to one a second.
Hrm... well, it might have some benefit for things like Nimda, but it won't do anything for nasties that spread via email. If this becomes a default in a future version of Windows, though, you can bet that any virus meant to propagate by opening outgoing connections will just self-throttle, or disable the feature first. Already there is precedent for this, such as Bugbear that disables software firewalls so it can get out and spread.

I would much rather see effort spent educating people to install security related patches regularly and turn off unused services, and push vendors towards "secure by default."

Re:Not very sophisticated. (1)

redfiche (621966) | more than 10 years ago | (#4731787)

I can only assume the same technique would apply to emails. The point is to assume that your security may fail, and to think about what the consequences of that failure would be.

Re:Not very sophisticated. (2)

Badgerman (19207) | more than 10 years ago | (#4731841)

The basic concept could be applied to emails, perhaps - unexpected email requests, a system that scans for outgoing mails and compares it to a common list of outgoings, or detects spoofed addresses, etc.

The BASIC idea of finding ways to strangle virii and warn of spreads is a good one. But you make an excellent point that we have to consider ALL methods of spreading virii.

Re:Not very sophisticated. (3, Interesting)

GT_Alias (551463) | more than 10 years ago | (#4731910)

The idea, then, is to limit the rate at which a computer can connect to new computers, where "new" means those that are not on a recent history list. Dr Williamson's "throttle" [...] restricts such connections to one a second.

OK, this seems to point to the question: Why was the ability to connect to "new" computers at an extremely high rate there in the first place? Is that ability ever utilized to any extent in legitimate, day-to-day operations?

If so, this might cause you some problems and putting "throttling" in there is a really bad idea. But if this ability isn't used, then maybe the "throttling" should be put in at the OS level.

The only time I can see having this at the OS-level being a problem is when you first start up some big iron that needs to connect to thousands of clients. The OS might kill any attempt to do this. But once you've established a semi-regular list of clients, then having the OS thwart any attempts to collect to a massive amount of "new" machines seems like a good idea.

security vs. privacy (2, Interesting)

GdoL (460833) | more than 10 years ago | (#4731661)

The author refers the different behaviour of a computer infected by a virus as a way to detect the virus. What the author says is that a virus will try to make connection to as many comouters as possible. This different behaviour is then monitorized by a system and someone somewhere is informed of the presence of the virus.

But to have this system installed you will be giving someone an authorization to see your computer use profile, giving away your privacy. And it will not detect most virus that are only interested in destroing your data and/or spam your friends via email.

Re:security vs. privacy (2)

The Evil Couch (621105) | more than 10 years ago | (#4731854)

The way this looks like it's written to me is to be used in business LANs. No need for privacy there. The bottom line is what needs to be looked after. If the sys-admin needs additional permissions on your computer to be able to keep you from doing something stupid, oh well.

I know I'd like to beat some of my users regularly with a stick.

Re:security vs. privacy (0)

Anonymous Coward | more than 10 years ago | (#4731888)

no idiot. here's several good applications for it (even though I don't think it will work)

an event log monitor or a syslog monitor that watches for these outgoing connections, and when it sees them, it notifies the USER. This could easily be installed on your home machine, runs within the scope of your home machine, and never ever ever sends information out. It could/should be open-sourced, even. It could easily be adapted to look for incoming connections in the same fashion, since the average home machine is NOT a server and shouldn't expect incoming connections.

Second, on a corporate lan your privacy is irrelevant. They own the machines, they own the bandwidth (or they rent it, but it's not yours), and security is THEIR problem. Therefore, they could stick this stuff on the firewall, proxy, router, or whatever, and just watch each host (without requiring an agent on each host) and bammo, the security admin gets a pager notification or something and unplugs the suspected host from the network. Then he goes and does a virus scan, or reformats, or whatever, to clean it. Nothing infected, the corporate lan is safe again!

I'm all about protecting privacy, but why can't you just figure out how to protect your privacy without getting paranoid everytime someone comes up with a new way to do something?

Fuckin' use your brain!

Tries... (0, Offtopic)

Ripplet (591094) | more than 10 years ago | (#4731662)

Tries desparately to think of something interesting to say about this post, other than, "cool", "why didn't I think of that" etc. Fails.

Tries desparately to resist temptation to mention FirstPost. Fails.

Tries to think of something else to discourage moderators from hitting the thumbs down button. ??

Now were gonna have (2, Insightful)

dethl (626353) | more than 10 years ago | (#4731663)

semi-anti-virus programs that "hold" the virus in until Joe Blow computer user comes in, and accidentally releases the virus into his machine.

Will it work? (2, Interesting)

yogi (3827) | more than 10 years ago | (#4731665)

If the throttle is implemented on the same machine as the virus, the virus writers will turn it off.

If it becomes a widespread implementation on the upstream routers, then virus writers will throttle their own connections to 1 per second to evade detection.

This defense was only tested against Nimda, and other viruses may work other ways. Will it stop email virii?

Makes the Warhol worm a bit harder to implement though :-)

Details, details (2, Interesting)

TillmanJ (223874) | more than 10 years ago | (#4731666)

...where are the details. What kind of heuristics is this 'throttle' using? Do they look for disparate connections, like 100+ individual hosts per minute, or simply just for connections outside of a tripwire-esque 'connection profile' for the machine? What kind of protocols does the throttle watch?

I really enjoy the Economist, but this article is so shallow and fluffy, especially for them.

computer history (2, Interesting)

it0 (567968) | more than 10 years ago | (#4731690)

The article basicly says that it wants user intervention when it connects to a new/unknwon computer it hasn't connected to before. So the virus could still spread to it's known list?? What if you run kazaa? The program would block outgoing connections.. I know which one is going out of the window first..

Link to paper (4, Informative)

NearlyHeadless (110901) | more than 10 years ago | (#4731692)

Here's Williamson's paper on the idea: Throttling Viruses: Restricting propagation to defeat malicious mobile code [hp.com] I haven't read it yet, but I see one potential problem right away. When you load a web page, you normally make quite a few connections--one for each image, e.g. I'll have to see how he handles that

Re:Link to paper (2)

NearlyHeadless (110901) | more than 10 years ago | (#4731771)

When you load a web page, you normally make quite a few connections--one for each image, e.g. I'll have to see how he handles that.

Now that I've read it, I see that he's just talking about the first connection to a computer. So, if your web page's images are all on the same server, no delay. If you have one on images.slashdot.org and another on adserver.f-edcompany.com and another on aj783.akamai.net, there will be a slight delay.

Issue at Hand (5, Insightful)

seangw (454819) | more than 10 years ago | (#4731693)

I think the issue at hand is a more global issue faced when writing applications.

Software is expected to behave 100%. How many of the developers here have had some strange bug, that may only appear in 1 out of every million users (not instances, otherwise it would happen in less than a second in most all modern processors). Then we are asked to fix it.

This solution is great, throttle the computer, lose that 2% of all connections being instantaneous, but then it won't be perfect.

I think we have to more realistically analyze the needs of modern software, and accept that it can "fail" to an acceptable degree if we want some superior functionality.

The human brain is great, but it fails (quite too much for myself). IBM is annoucing building a computer that could simulate the human brain, but it won't reap the rewards of our brains, until it's willing to give in to the issues that we face, uncertain failure.

With our "uncertain failure", look how great we are at calculating PI to the 100th digit (well, normal individuals anyway). Our brains certainly couldn't calculate nuclear simulations with the "uncertain failure"

We will probably have to split "computer science" into the "uncertain failure, superb flexibility" and the "perfect, 99.999% of the time" categories.

This sounds great for the "uncertain failure" group.

Sounds like Microsoft is just right for the job... (0, Troll)

CrazyDuke (529195) | more than 10 years ago | (#4731695)

"...after all, at Microsoft, we really know how to slow down your computer for you."

/me can see the flames mentioning X+KDE and X+Gnome's speeds being slow as well decending upon him. @_@

Re:Sounds like Microsoft is just right for the job (1, Funny)

Anonymous Coward | more than 10 years ago | (#4731836)

Warning: Anivirus program detected recent installed software has caused computer slowdown and transmission of unknown packet to www.microsoft.com
Possible cause: Microsoft software.
Advise: Do not trust Microsoft

Solution: Install GNU/freeware alternatives.

Problems With Insecurity (4, Insightful)

txtger (216161) | more than 10 years ago | (#4731697)

A lot of the vulnerabilities of these systems are things that are just downright idiotic, in my opinion. We've made programs that don't really need to talk to the outside world able to do so (Word, Excel), and we've given programs that shouldn't be able to control the filesystem and other aspects of the system that privilege (Outlook, Internet Explorer). During the Summer I managed to have Internet Explorer install software for me (.NET Platform).

Why do we not look at applications and give them a domain before we just open the floodgates? Why not just say, "hey, email comes from the outside world, I don't trust the outside world, so I won't let my email client do anything it wants to". I know that this wouldn't stop all of these problems, but I think the general idea would circumvent many virii.

Re:Problems With Insecurity (1)

GigsVT (208848) | more than 10 years ago | (#4731899)

That runs completely counter to what MS's design goals are.

Document-centric, not application centric.

Really, they took this stupid design goal from Apple, king of the "you don't run applications, you run documents" paradigm.

This one mindset has caused a large number of MS's recent worms and viruses.

Time for a change of strategy (1, Interesting)

twosider (576122) | more than 10 years ago | (#4731701)

The current method of paying a mandatory annual fee to one of the anti-virus companies seems almost like an inherent conflict of interest, much as plumbers used to install pipes that easily corrode in a few years. We're always playing catchup, and I have an *extra* annual fee for each of my computers connected to the internet.

Searching and scanning for new viral signatures are not a final solution. The real solution is a transparent system where processes running are recognized by the operator, much as you recognize a familiar face when the mailman comes to the door.

I have so many services/processes running on WinXP that I have no idea what half of them do, but I can't turn them off, or something won't work. Seems like virus authors hardly have to try to find ways to exploit millions of systems with a single outbreak.

To those working on a different solution, thanks in advance.

attention virus writers (0)

Anonymous Coward | more than 10 years ago | (#4731708)

attention virus writers: There is a new technology on the horizon. It hasn't been implemented yet. You only have a year or 2 to figure out a way around this.

This just ups the ante. (2, Informative)

fractalus (322043) | more than 10 years ago | (#4731710)

We've got malware that now disables personal firewall software so as to avoid detection. This throttle might be an effective patch against current viruses, but the next round will simply work around the throttle, if it is applied locally.

Of course the article doesn't really say whether this is enforced on the local machines or is applied from outside (i.e. at a switch or router). However, by talking about it as an inoculation, it suggests it really enforced on the local machine.

It's a good idea, in general, but it has to be user-tweakable, and that means it's virus-tweakable too.

Good idea! (2, Insightful)

Gekke Eekhoorn (27027) | more than 10 years ago | (#4731712)

And it's not that difficult to implement either.

Give your switches enough memory and let them keep a history of 20 IP addresses per host. (this number needs to be tweaked according to usage of course) When you get a IP packet going to a new host, record the address and start a 1-second timer. While the timer runs, drop all IP packets to hosts not on the list.

The packets you drop will be resent, and you get the wanted behaviour.

Another advantage is that you only need to change the switches, not the systems.

Only problem I can see: What about web pages with lots of images from different servers? Those will take forever to load. You could tell everyone to use a proxy, but you wouldn't be able to run this throttling on the proxy...

suggestion... (3, Funny)

Dexter's Laboratory (608003) | more than 10 years ago | (#4731713)

Run Windows! That'll slow things down. Maybe it would slow down the spreading of viruses too?

Re:suggestion... (2, Funny)

6Yankee (597075) | more than 10 years ago | (#4731793)

Run Windows! [...] Maybe it would slow down the spreading of viruses too?

You really haven't been paying attention, have you?! :))

If education can thwart AIDS (2, Insightful)

registered_user (463604) | more than 10 years ago | (#4731716)

How about some Outlook awareness classes?

Gnutella, Seti@home... (0)

Anonymous Coward | more than 10 years ago | (#4731726)

The idea, then, is to limit the rate at which a computer can connect to new computers
Hope this throtlling doesn't adversely affect p2p apps.

"computers" resistant to virii? (0)

Anonymous Coward | more than 10 years ago | (#4731730)

Wouldn't it be more accurate to say "operating systems"? Of course the article appeared in a mainstream, non-techinical journal so I guess:

(Microsoft Windows) == (computer)
Of course some "computers" are already resitant to virii (viruses?):

Worms on the other hand...

Support Neo-Ludditism (4, Funny)

corvi42 (235814) | more than 10 years ago | (#4731734)

[SARCASM]
Prevent the spread of viruses, make computers more secure, enjoy life in the Real World, spend more time with your family & loved ones!

All this and more can be yours! Support Neo-Ludditism - break your computer today!

No computers means no computer problems!
Just imagine a profitable new career in ...um.... basket weaving!
[/SARCASM]

guffaw (0, Offtopic)

fiftyLou (472705) | more than 10 years ago | (#4731747)


In the time that it takes a technician to swig a mouthful of cold coffee and clear the boxes of congealed pizza from his desk,

Ha Ha Ha!

Fscking hell, I just spit Mountain Dew all over the chinese food delivery guy...

This will only work for TCP. What about UDP ? (3, Insightful)

Viol8 (599362) | more than 10 years ago | (#4731770)

Since only TCP has the idea of connections only this protocol can be protected from abuse in this way. Others such as UDP/ICMP etc send their data in descrete packets (as far as the OS is concerned, whether the app client-server system has the idea of connections over UDP is another matter) and if you limit these to 1 packet a second you can kiss goodbye to a whole host of protocols because they simply will not work effeciently or at all any longer. All his idea will do is cause virus writers to use protocols other than TCP. For macro viruses this could be a problem (does vbscript support UDP?) but for exe viruses its no big deal I suspect.

Re:This will only work for TCP. What about UDP ? (0)

Anonymous Coward | more than 10 years ago | (#4731797)

I think you've confused several protocol layers here. How exactly will a virus spread using udp or ICMP?

Microsoft already does this... (5, Funny)

krystal_blade (188089) | more than 10 years ago | (#4731776)

Virii thought: Woohoo, I got in a machine!
Windows: "Are you a dll?"
Virii thought: "Umm... Yes. I like Outlook."
Windows: "Okay, hang on..."

Launches Outlook...
Virii thought: "Why is everything blue?"
Windows: .............
Virii thought: "Oh, if only I had hands!!!"

Wtf are you smoking? (0, Troll)

Viol8 (599362) | more than 10 years ago | (#4731788)

I don't get the joke there at all. Can someone show me where it is?

Re:Wtf are you smoking? (2)

krystal_blade (188089) | more than 10 years ago | (#4731810)

No. You not getting it adds to it's funniness.

I don;t understand (1)

agurkan (523320) | more than 10 years ago | (#4731790)

Why the virus or the worm should respect any restriction brought by the operating system? Doesn't it make more sense to prevent the connection at the computer that is attacked rather than attacking computer? But then how do you distinguish an attack using eg.SSL from a legitimate connection?

Virus? (0)

Anonymous Coward | more than 10 years ago | (#4731805)

This is designed to slow self spreading worms like Nimda. The idea is to reduce the number of new connections a computer can make to computers it's never talked to before. There's nothing about how an O/S could actually enforce this.

Is this on the individual computers? (2, Insightful)

Qzukk (229616) | more than 10 years ago | (#4731807)

If this is on individual computers, I can't see "human intervention" being effective. It might certainly slow the progress of a worm, but I can just see someone getting a pop-up box "Your machine appears to be infected with a virus, should I delete it?" and someone sitting there and hitting "No."

It would probably be more effective as some kind of network device/firewall that eats excessive network connection requests, then lets the administrator know that computer X appears to be infected (bonus points for inspecting packet content to determine type of infection).

In fact, that implementation isn't new, I recall seeing a computer setup at a colocation site setup to inspect http traffic and blocked http requests that looked like code-red infection attempts.

virus writers will respond, of course (3, Insightful)

djembe2k (604598) | more than 10 years ago | (#4731818)

Yes, this will slow down the spread of viruses -- but the article makes a big deal of the fact that a throttled system can detect the attempts to rapidly make many network connections, setting off an alert. Of course, as soon as people come to count on this as their primary form of virus detection, a virus will be written that only attempts one connection a second, and then, very slowly it will spread undetected on those systems that rely on the throttle for detection. And we know there will be people who rely on it exclusively . . . .

Umm, I don't buy it. (5, Insightful)

Toodles (60042) | more than 10 years ago | (#4731826)

In short, this guy's idea for curbing infection rates of &pluralize("virus"); is to restrict systems network access to one new host per second. Exceptions would be made for high demand, known servers, such as mail server and (I presume, even though it wasn't in the article) HTTP or SOCKS proxies. Interesting idea, and it would help in slowing down the infection of, say, Nimba or Code Red.

I can't help but think that his logic is flawed however. For example, most corporate headaches come from email based virii. If the only connections needed for the virus to spread is the email server it already has access to, there is no delay for the emails to be sent out to the mail server. No one could request for the email server to be throttled and keep their job, so the infected emails would be sent out, with no perceptable delay caused by the throttling.

The only thing this might help with is worms only, no virii in the more common sense such as email based LookOut virii, .exe/.com infectors, or boot sector infectors. The article fails to mention the Hows of this throttling; is it based on the routers (in which case quick infection of the local subnet would take place) or on the switches (which could break most broadcast applications, not to mention mean all systems outside the subnet look the same) or in the OS (in which case the virus could put its own TCP/IP stack in to replace the throttled one, and end up with no throttling affects whatsoever).

How about, instead of throttling network access, we move to more reliable code, better access controls at the kernel level, and a hardware platform that makes buffer overruns and stack smashing a thing of the past. While I am anti-MS, Palladium does actually have some good ideas on the hardware level. Is the DRM level that stinks to high heaven.

why not? (2, Funny)

pixitha (589341) | more than 10 years ago | (#4731849)

why not just stop the anti-virus companies from making all the virus's in the first place?

I mean, they make money on sales of anti-virus software, without any kind of regulation, hell with the way corporate america is already going, who says its not a big scam anyhow?

Somebody smoking crack? (2)

cr@ckwhore (165454) | more than 10 years ago | (#4731859)

I'm sure this sounds like a good idea to some people, but I'm not convinced.

The idea, then, is to limit the rate at which a computer can connect to new computers, where "new" means those that are not on a recent history list. Dr Williamson's "throttle" (so called because it is both a kind of valve and a way of strangling viruses at birth) restricts such connections to one a second. This might not sound like much to a human, but to a computer virus it is an age.

This sounds to me like the idea is to basically make the tcp/ip stack single threaded.

Ok smart guy, so lets use an http request as an example. Loading a web-page, a browser could theoretically make several connections to several different servers. So, with our single threaded, "throttled" tcp/ip stack, a simple web page could take several seconds to load, at least until the server on the other end is in the "history".

Ok, so this "history" as the document describes... where is it kept? Hard drive? RAM? So, for every outgoing connection, the machine needs to check the address against a table somewhere... this is added overhead. Lets say that the address needs to be resolved... well, then we need to go through this process a second time just for the DNS server.

So, this "Doctor Matthew Williamson" of HP... is he full of crap? I dunno -- I don't have a phd.

Re:Somebody smoking crack? (2)

Boone^ (151057) | more than 10 years ago | (#4731887)

What about mail servers? Imagine a company attempting to do "normal" business at 1 new connection a second. Internal mail would work great, but anything to anyone else would be lagged multiple days.

Side benefit: I suppose it would slow down the spammers, too, forcing them back to sending snail mail chain letters.

It's a start . . . (2)

Badgerman (19207) | more than 10 years ago | (#4731875)

The basic idea of "find ways to strangle virii" is a good one. I think he's onto something here, something so obvious it wasn't obvious. Even if his technique slowed virii down only a few percent, the spread over time would be much lower.

However, this is really only one idea. Its value is in pointing out that to deal with an age of virii, unreliable web pages, email viruses, trojans, bad firewalls, and everything else that didn't exist fifty years ago, we need to think in radically different methods.

The greatest value of this research is really going to be how it gets people to take a new look at computing. And for that, I say, it is about time. Our ideas for dealing with computer troubles need to evolve since the troubles we're facing continue to occur, spread, and change.

P2P (3, Interesting)

Shade, The (252176) | more than 10 years ago | (#4731894)

Unfortunately I don't know much about P2P protocols, but wouldn't this tend to slow them down a bit? How many connections does Gnutella (for instance) throw out per second?

Very strange indeed (1, Interesting)

Anonymous Coward | more than 10 years ago | (#4731925)

Why not propagate the 'fix' the same way the virus itself propagates? We know the virus is efficient as hell, surely the fix in assembler can't be much bigger than the virus?
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>