Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Community Comments To Security Absurdity Article

kdawson posted more than 7 years ago | from the boiling-frogs dept.

Security 190

An anonymous reader writes, "Earlier this year Noam Eppel's Security Absurdity article generated much debate in the Information Security community (covered on Slashdot at the time). He claimed that we are currently witnessing a 'profound failure' in security. Now the author has posted a follow-up highlighting some of the community comments prompted by the article, titled 'Feedback to Security Absurdity Article — the Good, the Bad and the Ugly.'"

cancel ×

190 comments

Sorry! There are no comments related to the filter you selected.

OB Security Slashdotism (-1, Troll)

Anonymous Coward | more than 7 years ago | (#17029030)

All your {whatever} are belong to us.

We wouldn't be having this problem if... (3, Insightful)

BadAnalogyGuy (945258) | more than 7 years ago | (#17029072)

<fill in the blank>

people would use common sense.

Re:We wouldn't be having this problem if... (3, Informative)

Anonymous Coward | more than 7 years ago | (#17029226)

From the article:

"
        * Don't click on links in email messages. Type the URL in your browser manually.
        * Disable the preview pane in all your inboxes.
        * Read all email in plain text.
        * Don't open email attachments.
        * Don't use Java, JavaScript, and ActiveX.
        * Don't check your email with Microsoft Outlook or Outlook Express.
        * Don't display your email address on your web site.
        * Don't follow links in web pages, email messages, or newsgroup without knowing what they link to.
        * Don't let the computer save your passwords.
        * Don't trust the "From" line in email messages.
        * Never Use Internet Explorer and instead Switch to Firefox.
        * Never run a program unless you know it to be authored by a person or company that you trust.
        * Read the User Agreement thoroughly on all software you download to ensure it is not spyware.
        * Don't count on your email system to block all worms and viruses.
        * Get a Mac
"

Now, how many of those do you think the average computer user knows about? Not many, I think. Most people see features and want to use them so they ignore many of those suggestions. Thus, this common geek sense is not common sense to the average user, and frankly I wouldn't expect the average user to remember or know all of this stuff all of the time unless we tested computer users like we did drivers, and even that has gaping holes.

Re:We wouldn't be having this problem if... (5, Insightful)

chrisv (12054) | more than 7 years ago | (#17029390)

Even of the items that I know about - which is most of them - that doesn't mean that I follow them. As far as them being common "geek" sense, they might be, but:

  • "Don't click on links in email messages. Type the URL in your browser manually." - bit overkill. Check to see where they're going first. And your mail client shouldn't have any active content enabled for viewing mail in the first place, so a JavaScript onmouseover/onmouseout/onclick handler attached to a link would have no effect anyway. If you're following the other suggestions on the list, this doesn't matter anyway, since your email is plain text and any links that appear in the body of the mail message are a result of the mail client automatically highlighting what looks like a link.
  • "Disable the preview pane in all your inboxes." - That's what you disable any sort of active content for in the first place - it should be the default in any reasonable mail client to not have any sort of active content running in your mail client.
  • "Read all email in plain text." - and this one as well.
  • "Don't open email attachments." - this falls into the category of something most people probably don't know about, but that's because they tend to trust their email. As far as it goes, though, don't open unexpected attachments seems more correct than not opening any attachments.
  • "Don't use Java, JavaScript, and ActiveX." - It's not Java and JavaScript that you need to worry about so much, it's ActiveX. And since the only browser that will run ActiveX is MSIE, that's already been taken care of by one of the other suggestions farther down this list.
  • "Don't check your email with Microsoft Outlook or Outlook Express." - which is perfectly acceptable in a personal context. Too many businesses, however, mandate Outlook and Exchange. Get businesses off of Exchange once a viable competitor becomes available and then getting them off of Outlook becomes easier.
  • "Don't display your email address on your web site." - or on any website, if you can get away with it.
  • "Don't follow links in web pages, email messages, or newsgroup without knowing what they link to." - That's the first point on this list, really.
  • "Don't let the computer save your passwords." - I'll agree with this one, but for places that I don't care about the password that I use, it still gets saved here on the computer, simply because I'll never remember the account name / password the next time I need to use it if I don't.
  • "Don't trust the "From" line in email messages." - perfectly reasonable.
  • "Never Use Internet Explorer and instead Switch to Firefox." - Don't I wish life were that easy? Reasonable idea, but talk 80% of the users of the internet into it... until then, it's not going away.
  • "Never run a program unless you know it to be authored by a person or company that you trust." - perfectly reasonable.
  • "Read the User Agreement thoroughly on all software you download to ensure it is not spyware." - this gets you approximately nowhere, since pretty much every EULA includes clauses that basically allow the distributor / author of the software to do whatever they want to your computer without any liability on their part.
  • "Don't count on your email system to block all worms and viruses." - this is one of those things that should be obvious to anyone who has been online for more than an hour.
  • "Get a Mac" - as much as I like this idea, that sounds like an idea that would just change the targets of viruses and worms from Windows-based platforms to Mac-based platforms. They might be more secure - but how frequently is a Mac targeted in preference to a Windows system?

So really, most, if not all, of that list isn't a "never do that", but a "use common sense before you do that", and that's most of what it amounts to in the first place. Security would be better if it wasn't for the hideous defaults that we put up with - which in an ideal environment without worms and viruses and such would make for better usability, but since most people don't use their computers in a hermetically sealed room with no connection to the outside world whatsoever...

Re:We wouldn't be having this problem if... (3, Insightful)

TubeSteak (669689) | more than 7 years ago | (#17029568)

So really, most, if not all, of that list isn't a "never do that", but a "use common sense before you do that", and that's most of what it amounts to in the first place.
Common sense isn't always so common.

Computer security is a state of mind. Maybe if the internet was more like a construction site, where not being safe = losing a finger... people might take the time to learn how to anticipate threats instead of just blindly applying a set of rules.

Re:We wouldn't be having this problem if... (2, Insightful)

timmarhy (659436) | more than 7 years ago | (#17029596)

i've got 5 better rules: 1. be paranoid 2. be paranoid 3. dont' download exe's from p2p or torrents. 4. dont' trust anything you get via email 5. don't use windows.

Re:We wouldn't be having this problem if... (1)

ZombieRoboNinja (905329) | more than 7 years ago | (#17029936)

""Don't click on links in email messages. Type the URL in your browser manually." - bit overkill. Check to see where they're going first. And your mail client shouldn't have any active content enabled for viewing mail in the first place, so a JavaScript onmouseover/onmouseout/onclick handler attached to a link would have no effect anyway. If you're following the other suggestions on the list, this doesn't matter anyway, since your email is plain text and any links that appear in the body of the mail message are a result of the mail client automatically highlighting what looks like a link."

The issue, as I understand it, is that some phishing URLs use special characters very similar to standard English letters. Stuff like "http://update.mîcrosoft.com/" (notice the weird thingy on the "i"?) but possibly without even that visible a difference. So if you click the link or even copy-paste it, you risk being directed to a phishing site.

Re:We wouldn't be having this problem if... (1)

Tim C (15259) | more than 7 years ago | (#17030196)

So if you click the link or even copy-paste it, you risk being directed to a phishing site.

Hence the original rule is "type the address in manually".

Re:We wouldn't be having this problem if... (1)

lazy_playboy (236084) | more than 7 years ago | (#17029948)

"Get a Mac" - as much as I like this idea, that sounds like an idea that would just change the targets of viruses and worms from Windows-based platforms to Mac-based platforms. They might be more secure - but how frequently is a Mac targeted in preference to a Windows system?
Ahhh, the 'macs don't have viruses/worms because they are less common, and therefore not targeted' argument. Except that OS 9 was less widely used than OS X and had many viruses. And which virus/worm writer wouldn't want to be the first successful writer for OS X? I don't think that there can be any doubt that OS X is being targeted.

Re:We wouldn't be having this problem if... (1)

drsmithy (35869) | more than 7 years ago | (#17030318)

Ahhh, the 'macs don't have viruses/worms because they are less common, and therefore not targeted' argument. Except that OS 9 was less widely used than OS X and had many viruses.

MacOS "Classic" was significantly more widely used than OS X.

And which virus/worm writer wouldn't want to be the first successful writer for OS X?

The hard part about viruses isn't creating them, it's getting them to spread. When only one in 100 machines is a target, it's not going to spread very fast.

I don't think that there can be any doubt that OS X is being targeted.

I don't think there's any doubt it is targeted orders of magnitude less than Windows (or, indeed, even Linux - albeit for different reasons).

"Market share" is a simple way of referring to a number of significant factors which all combine to make Windows vastly more exploited than other platforms - and "security" (whatever the hell that's supposed to mean) is a relatively minor factor.

Re:We wouldn't be having this problem if... (1)

SillyNickName4me (760022) | more than 7 years ago | (#17030360)

The hard part about viruses isn't creating them, it's getting them to spread. When only one in 100 machines is a target, it's not going to spread very fast.

Yet there are thousands of viruses for AmigaOS for example..

Re:We wouldn't be having this problem if... (1)

drsmithy (35869) | more than 7 years ago | (#17030426)

Yet there are thousands of viruses for AmigaOS for example..

Probably because the Amiga was, in its past, one of the most popular computing platforms in the world.

Re:We wouldn't be having this problem if... (1)

Fred_A (10934) | more than 7 years ago | (#17030580)

Not to mention that it could multitask, presumably making the execution of viruses that much easier and more transparent to the user, especially compared to a DOS box where a lot of hacks were required to create a so-called TSR (Terminate and Stay Resident, for those lucky enough not to have encountered those ugly beasts) program.

Re:We wouldn't be having this problem if... (1)

SillyNickName4me (760022) | more than 7 years ago | (#17030726)

Not to mention that it could multitask, presumably making the execution of viruses that much easier and more transparent to the user, especially compared to a DOS box where a lot of hacks were required to create a so-called TSR (Terminate and Stay Resident, for those lucky enough not to have encountered those ugly beasts) program.

A memory resident virus on DOS needs techniques somewhat similar to a TSR, but much simpler. All it needs to do is allocate a bit of memory for itself and hook one of the interupts used for calling DOS. Not a very difficult thing to do, and on DOS there are no provisions for managing multiple programs, so there was no need to try and hide from those either.

Not to mention that there were a lot of viruses on DOS as well as AmigaOS that were not memory resident, and did not need such features at all.

Re:We wouldn't be having this problem if... (1)

SillyNickName4me (760022) | more than 7 years ago | (#17030682)

Probably because the Amiga was, in its past, one of the most popular computing platforms in the world.

Uh no, it has never been anywhere close to 'one of the most popular computing platforms in the world', see http://www.pegasus3d.com/total_share.html [pegasus3d.com] and http://arstechnica.com/articles/culture/total-shar e.ars [arstechnica.com]

Outlook not so good - and as for exchange (3, Insightful)

dbIII (701233) | more than 7 years ago | (#17029950)

Get businesses off of Exchange once a viable competitor becomes available

There is a thing called email which is far more useful and has been around longer - you also can use mbox files readable even by a text editor instead of some weird database that requires shareware to fix when it gets corrupted. If Microsoft provided tools to support their own products properly I would recommend it - but no, conventional email servers available from a lot of different sources are superior in almost every way. Even the horrible sendmail configuration file is superior to weird registry hacks to change the behavior of exchange.

Disclaimer - I've only looked after 3 MS Exchange servers and one bare metal rebuild from backup to recover old mail (nightmare that would never be required with a sane mailbox format - the whole thing is just too fragile and finicky and required an install with the same service packs, identical company info strings in the install, same registry hacks etc). Open relay by default with one patch too aparently - or perhaps that just has to be fiction because they could not be that stupid could they?

Re:We wouldn't be having this problem if... (1)

Moraelin (679338) | more than 7 years ago | (#17030590)

"Don't click on links in email messages. Type the URL in your browser manually." - bit overkill. Check to see where they're going first. And your mail client shouldn't have any active content enabled for viewing mail in the first place, so a JavaScript onmouseover/onmouseout/onclick handler attached to a link would have no effect anyway. If you're following the other suggestions on the list, this doesn't matter anyway, since your email is plain text and any links that appear in the body of the mail message are a result of the mail client automatically highlighting what looks like a link.


Not necessarily overkill. An exploit which existed for quite sometime are Unicode characters which look the same as an US ASCII character. E.g., the greek omicron looks pretty much exactly like an "o". Someone could jolly well have you think you're going to "www.mozilla.com" when it's actually written with an omicron and is, in fact, a completely different site. Or there are a lot of other blocks in Unicode, e.g., the cyrillic (russian) block that has characters which look just like an US ASCII character to you, but to a computer (e.g., to the DNS server) they're a completely different character code.

For reference, see Bruce Schneier. [schneier.com]

So if your mail client supports UTF-8, and honours the encoding in the headers, you can stare at that link long and hard and even in text mode, and it will look legit.

"Disable the preview pane in all your inboxes." - That's what you disable any sort of active content for in the first place - it should be the default in any reasonable mail client to not have any sort of active content running in your mail client.


Disabling active content will go a long way, but won't defend you against buffer overflows. If you have a preview pane enabled in Outlook, you can't even (easily) delete such a virus without becoming infected, because the moment you've clicked on it, the buffer overflow has already happened. So, yes, by all means, please do disable the active content, but also do disable the preview pane.

"Don't use Java, JavaScript, and ActiveX." - It's not Java and JavaScript that you need to worry about so much, it's ActiveX. And since the only browser that will run ActiveX is MSIE, that's already been taken care of by one of the other suggestions farther down this list.


A lot of exploits are/were based on JavaScript exploits, believe it or not. A lot of the fake-ui phishing attacks use JavaScript to, for example, spawn a window without the toolbars and URL bar and with a faked set of bars there. And a lot of cross-site scripting attacks rely on JavaScript to do the dirty work. It may be a badly designed site, rather than a vulnerability of JavaScript itself, but you can do a lot worse than disabling one piece of the puzzle that they rely on. Etc.

As for ActiveX, heh. Don't dismiss that so quickly. I know at least one marketter-turned-(bad-wannabe-)programmer who was telling me about how he cleverly uses Mozilla to be safe from all the IE exploits, but installed some plugin that executes ActiveX in Mozilla. Now I don't know what plugin that is, and wasn't too interested to find out, but I found it funny that someone could be that clueless. The moment you install the same inherent vulnerability in Mozilla, then all that false feeling of security is just Cargo Cult.

Or see the many people who think they're somehow secure because of ditching IE... when all they've done is download some "3rd party browser" that's just a funky border around IE. There are thousands of those "browsers" by now.

So, yeah, I'd insist on hammering that one separately into people's heads. Because, as above, if you just tell them "don't use IE because it's not secure", but they don't understand why and what parts, they'll find a way to shoot themselves in the foot unknowingly.

And one more point: don't forget in all this talk about email clients. There is _no_ excuse for those to be able to run Java, JavaScript or ActiveX in an email. Ever. It may be very obvious to you, but you'd be surprised how many people don't find this obvious.

"Never run a program unless you know it to be authored by a person or company that you trust." - perfectly reasonable


Perfectly reasonable, and maybe even obvious, but you'd be surprised how many people send around some cute (trojan) screen-saver or mini-game they found on the internet. At the previous company even one of the bosses sent one of those around, which was already known by a few people to be a trojan. (The boss obviously didn't, though.)

Also, while it may be obvious for stuff coming in an email, you'd be surprised how many people run mods, cheats, warez, etc, downloaded off some dodgy site. Being on a web site somehow makes it seem more legitimate. Throw in some bait, and it becomes doubly so. Tell a few saps that you have some memory-resident cheat for World Of Warcraft or some new not-detected-by-punkbuster CS wall hack, and watch their common sense get shut-down and disabled.

So, again, I'm all for hammering this into people's heads until they actually start remembering it.

"Don't check your email with Microsoft Outlook or Outlook Express." - which is perfectly acceptable in a personal context. Too many businesses, however, mandate Outlook and Exchange. Get businesses off of Exchange once a viable competitor becomes available and then getting them off of Outlook becomes easier.


In which case it's not as much aimed at the peon who got that pre-installed, but at the PHB who decided to standardize on Outlook and Exchange. I.e., again, I can't see anything inherently wrong with his saying it. If those people get their only information from some IT-for-PHB's ragazines and disguised ad ragazines, while the rest of us just go "oh well, most people don't have control so let's not say it" they'll never even know there's something wrong with Outlook.

Etc.

Basically I'm not saying that this list is either the alpha-and-omega, or the one recipe that's 100% applicable to the letter, but, still, I can't see anything wrong with someone writing it.

Response from Joe Luser (5, Insightful)

britneys 9th husband (741556) | more than 7 years ago | (#17029620)

* Don't click on links in email messages. Type the URL in your browser manually.
Too much work. I bought this computer to make my life easier.

                * Disable the preview pane in all your inboxes.
How do I do that? I'm not smart like you when it comes to computers.

                * Read all email in plain text.
I wouldn't get to see the pictures my friends send me if I did that.

                * Don't open email attachments.
What? And miss out on the lasest web games my friends are playing?

                * Don't use Java, JavaScript, and ActiveX.
No problem. I don't even know what those are. I'm not smart enough to learn all that fancy software.

                * Don't check your email with Microsoft Outlook or Outlook Express.
But Outlook is what my computer came with. I can't afford a new computer this month.

                * Don't display your email address on your web site.
Unacceptable. My customers need to be able to contact me.

                * Don't follow links in web pages, email messages, or newsgroup without knowing what they link to.
How do I know what it links to before I click?

                * Don't let the computer save your passwords.
Sorry, I don't have a photographic memory like you techno-geniuses. And don't tell me to write it down either, I'll just lose the piece of paper.

                * Don't trust the "From" line in email messages.
Then how do I know who sent me the mail?

                * Never Use Internet Explorer and instead Switch to Firefox.
I've used Internet Explorer for years. I have a busy life, I don't have time to learn Firefox or else I would.

                * Never run a program unless you know it to be authored by a person or company that you trust.
How do I know who wrote the software, it just shows up on my computer?

                * Read the User Agreement thoroughly on all software you download to ensure it is not spyware.
Yeah right. Those are longer than the internal revenue code, even my computer nerd brother doesn't read those.

                * Don't count on your email system to block all worms and viruses.
Then what do I count on? And why can't a big company like Microsoft figure out how to block viruses?

                * Get a Mac
At home? I can barely keep up with gas prices let alone get a new computer. At work? The company makes us use Windows, we don't have a choice.

Re:Response from Joe Luser (2, Insightful)

jrockway (229604) | more than 7 years ago | (#17029964)

Good post. Most of the above points are things the computer should do properly -- the user shouldn't have to work around insecurity on the Internet.

JS/Java interpreters should not be able to enter a state where they can damage the user's computer. Maybe they'll crash the tab that they were loaded from, but that's it. This isn't quite how things work today, but software can be improved. Firefox and Java are open source, so that makes finding and fixing any insecurity easier.

The same goes for clicking links in e-mail. You should be able to click any link. The worse thing that can happen is you think the site is your banks (sorry, you're just dumb), or you get the goatse guy. Get over it and move on -- clicking a link should not cause any code execution on your computer.

Re:We wouldn't be having this problem if... (1)

odourpreventer (898853) | more than 7 years ago | (#17030606)

Don't check your email with Microsoft Outlook or Outlook Express.
Never Use Internet Explorer and instead Switch to Firefox.

I've tried in vain to make people switch to Firefox, Opera and Thunderbird. Not even my geek buddies want to change. They already know of all the flaws in the MS products, but for some strange reason they can't be bothered. I'm trying to make my tech-idiot dad warm up to Opera (my fav) because he's having problems with IE, but it's a very slow process.

Re:We wouldn't be having this problem if... (0)

Anonymous Coward | more than 7 years ago | (#17030120)

A society is in decay when common sense has become uncommon. ~ Chesterton

Da Spaghetti Code (0, Offtopic)

Doc Ruby (173196) | more than 7 years ago | (#17029102)

Yikes - I just saw some talking head on TV tonight referring to Iraq's security absurdity as "the Good, the Bad, and the Ugly", referring to a partition into Kurdistan, Sunnistan and Shiastan.

Not Kidding. Weird.

The 21st Century is wild at heart and weird on top.

Re:Da Spaghetti Code (0)

Anonymous Coward | more than 7 years ago | (#17029756)

[quote]The 21st Century is wild at heart and weird on top.[quote]

So's your mother?

I KEED I KEED

-triumph the insult comic AC

Re:Da Spaghetti Code (1)

Dunbal (464142) | more than 7 years ago | (#17029976)

referring to a partition into Kurdistan

      Cool, I didn't know gparted could do a whole country!

Don't worry! (5, Funny)

stoneycoder (1020591) | more than 7 years ago | (#17029114)

Windows Vista will solve every security problem imaginable, flawlessly. Eliminating the need for IT security professionals and their absurdities, entirely.

Re:Don't worry! (1)

jon_joy_1999 (946738) | more than 7 years ago | (#17029278)

only between the times of 04:00 and 04:01 on days not ending in y

??? you mean like this... (1)

NotQuiteReal (608241) | more than 7 years ago | (#17029566)

days not ending in y

lunes, martes, miércoles, jueves, viernes, sábado, domingo

Gonna have to dig deeper.

Re:??? you mean like this... (0)

Anonymous Coward | more than 7 years ago | (#17030044)

Okay, who let the Mexican midgets in?

It can mean only one thing... (3, Funny)

Kadin2048 (468275) | more than 7 years ago | (#17029308)

Windows Vista will solve every security problem imaginable, flawlessly. Eliminating the need for IT security professionals and their absurdities, entirely.

Then it is true: Windows Vista is Bill Gates' secret doomsday weapon, the final piece of his twisted plot for total domination, which will destroy humanity and bring about the rise of the machines in our place!

I always knew that paperclip looked shifty.

you got it slightly wrong (2, Insightful)

commodoresloat (172735) | more than 7 years ago | (#17030962)

Vista will employ a new paradigm of security based on this article; it will be known as Security Through Absurdity.

Seems a little Windows-centric ... (0)

Anonymous Coward | more than 7 years ago | (#17029116)

The article doesn't have much to say outside of the world of Microsoft Windows. MS-Windows security (or lack of it) is certainly a huge issue in IT security, but it is not the only OS in the world. The number of areas where Windows is 'the only game in town' is rapidly shrinking. Switching to other platforms to the degree possible is certainly one way to cut down on virus/spyware woes and insulate yourself from the vast majority of 'in the wild' exploits.

Re:Seems a little Windows-centric ... (1)

thedarknite (1031380) | more than 7 years ago | (#17029186)

Only until other systems become prevalent enough to be viable targets, although having a diverse enough population will mean that fewer systems overall will be affected by any particular exploit.

You can a totally secure system. But it won't be doing much unplugged and locked up.

Re:Seems a little Windows-centric ... (5, Insightful)

dsci (658278) | more than 7 years ago | (#17029498)

Yeah. When Apache running on Linux ever breaks through and becomes a highly visible target, LOOK OUT.

Oh wait. That's right. Linux machines ARE visible targets, yet are not pwned in proportion to their use. "Ah," you cry, "but those are servers, not desktops." True. They are servers with purposefully exposed ports and running outside of firewalls; heck, many a Linux Box (PC or embedded) *IS* the firewall for Windows machines. They COULD in principle be compromised and used in botnets like any other computer out there.

The "bigger target, more problems" arguement is flawed. The underlying problem at the system level (ie, not coutnting phishing, physical security problems, etc) is WINDOWS, period. You can argue about whether it is simply the default security model or braindead design all you want, but until that basic reality is accepted, this point of Windows market share is a deflection from the issue.

Re:Seems a little Windows-centric ... (3, Insightful)

penix1 (722987) | more than 7 years ago | (#17029790)

To play Devil's advocate (hey, I'm in Gentoo) You are talking about servers versus single user systems. Linux isn't in the same class target wise as Windows simply because it isn't the OS of choice for Joe Sixpack. When that happens, I feel you will see just as many stupidly successful attacks as you see today in Windows. Why? Because the targets will be those same people that use "password" or "12345" for their security. Remember, rootkits existed for *nix long before they existed for Windows. The security of any system, be it Linux, Unix, Windows, OS X, etc... Is solely dependent on the one at the keyboard and unfortunately all too often that person is an idiot.

B.

Re:Seems a little Windows-centric ... (1)

tfinniga (555989) | more than 7 years ago | (#17030030)

The security of any system ... Is solely dependent on the one at the keyboard and unfortunately all too often that person is an idiot.

Well, I think that's a bit of an over simplification. Sure, the end-user can screw things up - there's nothing you can really do to keep people from screwing up their own machines, if that's what they're into. However, the system design can push things one way other the other. For example, you can make the stack non-executable, getting rid of most buffer over-runs. You can run at a lower security level, requiring user interaction to get elevated privileges. You can default to a browser that runs at an ultra-low security level and reports phishing websites.

Alternatively, you can use a global, shared memory space, omit access controls, and maybe put a big red button on the desktop that will delete all files, and join a botnet. Then for fun, make it so the button can be activated remotely. As a corollary, you could include advanced safety measures, but require recompiling the kernel and hex-editing the resulting binary.

Given the same users, the system with the better design will generally be safer. Although, granted, Bonzi Buddy or Weatherbug could be designed for any OS.

Re:Seems a little Windows-centric ... (0)

Anonymous Coward | more than 7 years ago | (#17029808)

They are servers with purposefully exposed ports and running outside of firewalls; heck, many a Linux Box (PC or embedded) *IS* the firewall for Windows machines.

The fact that a default Windows desktop installation needs a firewall alone speaks volumes.

You can argue about whether it is simply the default security model or braindead design all you want [..]

I don't see what to argue here...

Re:Seems a little Windows-centric ... (1)

thedarknite (1031380) | more than 7 years ago | (#17030052)

You are using Linux in a broader fashion than I would, considering there are over a hundred different distributions available. Let's say openSUSE replaces Windows as the dominant operating system, I think you'll find that the number times that they are "pwned" will increase significantly. If it's on a network then it's not secure, if someone really wants to screw with your systems then they will figure out how.

Re:Seems a little Windows-centric ... (5, Interesting)

IamTheRealMike (537420) | more than 7 years ago | (#17030106)

The underlying problem at the system level (ie, not coutnting phishing, physical security problems, etc) is WINDOWS, period.

No. Just no.

I hate this sort of comparison, because it's bogus. It's a classic apples and oranges situation. You are comparing the security of Apache to IIS, not Linux to Windows. Modern versions of IIS are pretty good from what I hear, and besides it's not very hard to be secure when all you run is a firewall and a web server.

If you want to do a real comparison you should compare the Linux desktop to the Windows desktop. Your average Linux desktop is a security nightmare. Firstly there's no active security whatsoever, it's all passive. IE there are no virus scanners/anti-malware tools in common deployment. If the passive defences fail you are screwed, you cannot easily distribute signatures etc to clean up the mess. Secondly, the Linux security model is simply the UNIX security model, which was designed in the 70s for a totally different set of threats. Your average desktop is not a mainframe and does not need to protect users from one another - instead it's decayed into some kind of trivial black/white coarse grained security model in which "root" has absolute power and "users" have less power.

Unfortunately, Linux trains the user to enter their password all the time, given an essentially random set of situations. You have to enter your password to install software, remove software, configure hardware, set the system clock and worst of all to install security updates. The tasks that require root are to the average user totally unconnected. If you are a UNIX geek you can probably figure out why something might need root, but you're in the minority. So users are trained to just enter their password whenever they are asked to, making it trivial to phish it out of them.

Even if you can't get root - who cares? On a modern Linux desktop you can do anything you need without it. Want to crack bank details? Go right ahead, Firefox runs as user and you can ptrace() it to your hearts content. Want to hook into startup so you always run? KDE and GNOME will be happy to oblige. Want to "hide" yourself without modifying the kernel? No problem either, just inject yourself into the address space of each program as it starts and then hook the syscalls at the libc level. Childs play.

So to put it simply - you are dead wrong. The underlying problem at the system level is the system, which is basically the same regardless of whether you use Windows, MacOS or Linux. The UNIX/NT security model is incapable of solving the problem of malicious software, period.

Re:Seems a little Windows-centric ... (1)

drsmithy (35869) | more than 7 years ago | (#17030406)

Yeah. When Apache running on Linux ever breaks through and becomes a highly visible target, LOOK OUT.

Not really. The proportion of internet-connected machines which are Linux/Apache servers is tiny and most of the people running them will detect and remedy any exploits in short order.

Oh wait. That's right. Linux machines ARE visible targets, yet are not pwned in proportion to their use. "Ah," you cry, "but those are servers, not desktops." True. They are servers with purposefully exposed ports and running outside of firewalls; heck, many a Linux Box (PC or embedded) *IS* the firewall for Windows machines. They COULD in principle be compromised and used in botnets like any other computer out there.

You do realise that the vast, vast bulk of exploited Windows machines weren't "pwned" by any sort of remote attack, right ?

Servers have _completely_ different risk and exposure profiles to desktop - particularly unmanaged desktop - PCs. So different that even trying to draw conclusions about one based on the other is laughable.

The "bigger target, more problems" arguement is flawed. The underlying problem at the system level (ie, not coutnting phishing, physical security problems, etc) is WINDOWS, period. You can argue about whether it is simply the default security model or braindead design all you want, but until that basic reality is accepted, this point of Windows market share is a deflection from the issue.

Except at the system level, Windows's security model is (relatively) quite solid. By any objective measure, the security infrastructure of Windows is (relatively) good. Clearly, the problem isn't there.

Security of who? (0)

Anonymous Coward | more than 7 years ago | (#17029120)

A system that is perfectly secure, and has no vulnerabilities is not necessarily a good thing for freedom, liberty and man.

For example, the soviet government, the east german government all tried to acheive perfect security. Had they succeeded it would have been a disaster. Had their Nazi documents been impossible to forge, how many of the persectued would have been unable to flee?

How secure is it when all "security" means is that a select group of people can do you harm if they suddenly so determine or need to "sacrifice" you?

A system of perfect "security" is less resilient to a tyrannical regime change.

Yeah, when there's background noise of people able to work around a system.

Honestly, that's it's truly secure.

Anyways, hope what I am saying never makes sense.

Re:Security of who? (1)

Ninjaesque One (902204) | more than 7 years ago | (#17029192)

We have Pretty Damn Good Security(cl) on most varieties of Linux, but we also have open source on Linux.

Which leads to one obvious comment:

I, for one, have already started worshipping my Secure Soviet LinuxLords.

Re:Security of who? (2, Informative)

DrKyle (818035) | more than 7 years ago | (#17029334)

Soviets and East Germany were not Nazis, they were communists. Just thought I would point that out.

Re:Security of who? (1)

foobsr (693224) | more than 7 years ago | (#17029608)

Soviets and East Germany were not Nazis, they were communists.

They were pretending to be.

CC.

Re:Security of who? (1)

SP33doh (930735) | more than 7 years ago | (#17029344)

for example, American revolution. if you want the security of the British empire then go back. or you could grow some balls and fight for america in the revolution in an attempt to have freedom and liberty.

I feel naked... (0, Offtopic)

Thaidog (235587) | more than 7 years ago | (#17029138)

Wait I AM naked! GD VPN!!!

Re:I feel naked... (0)

Anonymous Coward | more than 7 years ago | (#17029592)

get naked and nasty on http://anonet.org/ [anonet.org] :D

shut the fuck up (-1, Troll)

Anonymous Coward | more than 7 years ago | (#17029220)

you fudge packing faggots. what the fuck do y'all know about security anyway? fucking bitchez

Randomly Generated Title? (5, Funny)

skywire (469351) | more than 7 years ago | (#17029280)

Try to guess which one is a Slashdot headline:

"Alteration Frequents From Space-Age Poetry Bannister"
"From Tabletop Mannered Asterisk Will Age Understood"
"Community Comments To Security Absurdity Article"
"Likely Georgetown Under Wisely Instantiation If"

Re:Randomly Generated Title? (0, Redundant)

jeffx2k (769056) | more than 7 years ago | (#17029714)

that's EXACTLY what I thought when I saw the title... say whaaaaaaaat?

Wrong approch (3, Insightful)

cryptoluddite (658517) | more than 7 years ago | (#17029316)

We're taking the wrong approach to security. You can fight the symptoms like we have been doing and this will cost a LOT and never really make the system secure. Or you can fight a cause and however much it costs you that problem is solved for good.

Virus scanners, network behavior analyzers, "app armor", stack canaries, random load addresses, nothing. 'Search and destroy' the spybots? Please. The biggest problem is C and all the other non-typesafe languages. Safe languages simply trade a certain amount of performance for the impossibility of buffer overflows, underflows, stack 'smashing', heap corruption, double-free's, pointer arithmetic errors, and all of the other low-level attacks. Everything at that level is toast in Java or in "managed" C# for instance.

This entire class of low-level flaws can be solved completely. Then it's just the higher-level problems like impersonating web pages, xss, some trojans, that kind of thing. Still a problem, yeah, but without the entire class of automatic propagation it is so much less of one.

Right approach; at least for some. (2, Insightful)

Kadin2048 (468275) | more than 7 years ago | (#17029426)

You can fight the symptoms like we have been doing and this will cost a LOT and never really make the system secure.

Where I come from, they call this "securing your revenue stream."

Seems like the security companies are doing A-OK there; they've got more business than they can shake a stick at, and it's not going anywhere soon. They have a vested interest in not 'solving' the problem, even if they knew how to do it.

Like all arms races, if you're in the arms business, you can laugh all the way to the bank. (Until someone decides to rob you, that is.)

OT, I know, but (1)

dsci (658278) | more than 7 years ago | (#17029522)

they've got more business than they can shake a stick at, and it's not going anywhere soon. They have a vested interest in not 'solving' the problem, even if they knew how to do it.

Wow. That simple statement also sums up the War on Drugs.

disclaimer: USED to work in Law Enforcement as part of said "war"...

Re:OT, I know, but (1)

foobsr (693224) | more than 7 years ago | (#17029650)

Wow. That simple statement also sums up the War on Drugs.

Any war (perhaps)?

CC.

Re:Wrong approch (2, Informative)

Duncan3 (10537) | more than 7 years ago | (#17029468)

*laughs* And yet every worm, trojan, and rootkit uses officially documented API's to install and do what they do.

I think you were looking for the language war article. This one is about ignorant users clicking "OK" to things.

Re:Wrong approch (1)

zptao (979069) | more than 7 years ago | (#17029920)

They've started to document vulnerabilities in apps where you can cause a buffer overflow and execute code? Man, you guys move too fast for me!

Re:Wrong approch (1)

cryptoluddite (658517) | more than 7 years ago | (#17030252)

The problem is the bugs that they use to install and do what they do. Your implication that 'every worm, trojan, and rootkit only uses officially documented APIs' is just absurd. Why apply any security patches at all if the answer is just not to click "OK"?

The user's environment could be restructured so that clicking "open this program" does not allow it to escape and mess up the whole system. So while a user may install google toolbar, and it may report to google everything done, and it may crack passwords and do DoS against some advertiser who didn't pay, when the user selects "Remove google toolbar" it is guarenteed to be gone. But you cannot do this when any program can be hacked at the lowest levels simply because it is written in an unsafe language.

Even high level code like javascript could be constructed to cause a failure in the interpreter, written in an unsafe language, and then escape whatever restrictions are supposedly placed on it (like only being able to run as javascript code for instance).

Re:Wrong approch (1)

Dunbal (464142) | more than 7 years ago | (#17029944)

The biggest problem is C and all the other non-typesafe languages.

      Are you proposing we burn all the compilers and shoot everyone who knows C? The very power of the C language comes from its lack of structure. Besides, there's nothing you can do in C that you couldn't do in assembly.

Re:Wrong approch (4, Insightful)

IamTheRealMike (537420) | more than 7 years ago | (#17030130)

The problem is that the typesafe languages are not realistic for writing desktop software in. Both Java and .NET are plagued with serious technical problems - which is why so few desktop apps are written using them. Even trivial optimisations like stack allocation cannot be done by the programmer in these languages, they take advanced analyses running inside complex optimizing compilers .... running on the users desktop.

Basically, you are right that using these languages would eliminate whole classes of vulnerabilities. But they would not eliminate all of them, and the costs are huge in terms of writing efficient, pleasant-to-use software. Stuff written in Java today is just uncompetitive, secure or not.

Re:Wrong approch (1)

drsmithy (35869) | more than 7 years ago | (#17030332)

Virus scanners, network behavior analyzers, "app armor", stack canaries, random load addresses, nothing. 'Search and destroy' the spybots? Please. The biggest problem is C and all the other non-typesafe languages. Safe languages simply trade a certain amount of performance for the impossibility of buffer overflows, underflows, stack 'smashing', heap corruption, double-free's, pointer arithmetic errors, and all of the other low-level attacks. Everything at that level is toast in Java or in "managed" C# for instance.

The point is valid, but the vast, vast majority of security breaches have nothing to do with software flaws (be they design or implementation).

An OS implemented top to bottom in a typesafe language, would not remove the need for a virus scanner.

three solutions (4, Insightful)

bcrowell (177657) | more than 7 years ago | (#17029326)

A person can go to his/her local computer store and purchase an expensive new computer, plug it in, turn it on and go get a coffee. When he/she returns the computer could already be infected with a trojan and being used in a botnet to send out spam, participate in phishing attacks, virus propagation, and denial-of-service attacks, etc.
I assume the operating system was Windows? Solutions:
  1. Buy a Mac.
  2. Buy a machine with Linux preinstalled.
  3. Buy a Windows machine, and put it behind a $20 router with a built-in firewall.

Re:three solutions (1)

clifgriffin (676199) | more than 7 years ago | (#17029358)

Because when you install Linux (all distributions), it is automagically preconfigured for security. Who are you kidding? Most people I know who start out on their journey into the world of *nix run everything root. Security is less about the operating system, and more about the user.

Re:three solutions (1)

alshithead (981606) | more than 7 years ago | (#17029464)

Well said. ALL operating systems have vulnerabilities for those who are educated enough to exploit them. And, keep in mind social engineering. I think all vulnerabilities eventually boil down to users. You may have the best security possible on the computer but a few beers or a post-it note can cause a security breach.

Re:three solutions (1)

SP33doh (930735) | more than 7 years ago | (#17029360)

solution #4: stop taking about worms! what the hell. that's not even an issue anymore. (since XP SP2 has buit-in firewall that's on by default...)

Re:three solutions (1)

Ankur Dave (929048) | more than 7 years ago | (#17029474)

solution #4: stop taking about worms! what the hell. that's not even an issue anymore. (since XP SP2 has buit-in firewall that's on by default...)

That's an interesting point. Everyone talks about how you don't even have enough time to install the latest patches when you plug in a computer because viruses will take it over so fast. So is the Windows firewall letting things in that it shouldn't (I don't think that's so likely), is Internet Explorer letting itself be infected without ever visiting a site other than Windows Update (no way), or are they talking about Windows XP pre-SP2?

SP2 Firewall (5, Interesting)

Kadin2048 (468275) | more than 7 years ago | (#17029550)

I'd love to hear a conclusive answer to this as well.

Also, I wonder what ports SP2 has open in its default, out-of-the-box configuration. Is it totally locked down, with no response to *anything* coming in from the outside? Or does it have a few services still running here and there that could be exploited? Plus, and perhaps this is a stupid question, if you're running a firewall on the local machine as opposed to on a dedicated box, isn't there always a problem of the firewall software having a vulnerability itself? Or the TCP/IP stack? (And why not -- stranger things have happened. Like firmware vulns.) I'm just thinking of everything on the machine that you could possibly overflow/break by sending malformatted packets, for example.

I suspect in the real world, most of the infections happen when users don't go straight to Windows Update right after taking their computer out of the box, and instead get excited and decide to browse around to their favorite forum or two. Since it's not unknown for vendors to load up PCs with all sorts of software, probably including compromised ActiveX controls, all it takes is a trip to the wrong site to get a rootkit/keylogger installed. From there, it's a one-way trip to reformatsville, at least if you're smart. (Which is a real trick, seeing as how many PCs don't even come with reinstall media, instead just taking a chunk of your hard drive for some shoddy "recovery partition.")

Re:SP2 Firewall (2, Informative)

Virtual_Raider (52165) | more than 7 years ago | (#17030156)

The first that come to mind are the 1900 and 5000 UPnP ports http://www.grc.com/port_1900.htm [grc.com] .

If you fidget a little I'm pretty sure you can unearth some others. For a good reference list where else but here [slashdot.org] ?

Re:SP2 Firewall (1)

Tim C (15259) | more than 7 years ago | (#17030216)

I suspect in the real world, most of the infections happen when users don't go straight to Windows Update right after taking their computer out of the box, and instead get excited and decide to browse around to their favorite forum or two.

For a lot of users, whether or not they keep their machine patched is largely immaterial - they'll end up rooting themselves sooner or later when they voluntarily run a trojan or virus. Remote exploits are dangerous yes, but nowhere near as common as an idiot sat at the keyboard with an admin login.

Re:SP2 Firewall (1)

robot_lords_of_tokyo (911299) | more than 7 years ago | (#17030780)

amen, regardless of the OS

Re:SP2 Firewall (1)

weicco (645927) | more than 7 years ago | (#17030788)

Of course you could just install fresh Windows XP with SP2 to your network and do a network scan to see what ports are open and has someone actually listening to them...

The real problem, as said many times earlier, is the user. He/she surfs the web with admin rights and no matter what browser they are using they get infected. "Hey! That's a nice plugin/add-on/whatever for MSN Messenger. I'll install and download that..." said my ex-wife's cousing and then poor Weicco was forced to remove viruses, trojans and such from infected XP (it took 4 hours, I don't have much experience about cleaning Windowses).

There's no way to prevent users doing stupid things. That user I mentioned was native finninsh speaking 15 year old girl using localized finnish XP. XP/browser/AV-software/something asked question "Do you really want to run this program, it could be a virus?" in finnish and still she clicked the Yes button. Luckily I'm not married anymore :)

Re:three solutions (1)

Charan (563851) | more than 7 years ago | (#17029518)

3. Buy a Windows machine, and put it behind a $20 router with a built-in firewall.

I wouldn't put so much faith in those $20 routers. They too are vulnerable to exploits [techtarget.com] , but routers will never get patched. IIRC, Linksys manuals even tell the user to never do a firmware upgrade since it might brick the device.

Maybe the router itself isn't powerful enough of a platform to be a spam relay or help in a DDoS, but once it's compromised it can give an attacker unhindered local access to your network. Reinstalling your desktop OS won't fix this problem.

Re:three solutions (1)

TheGrinningFool (1014867) | more than 7 years ago | (#17029640)

from the article you referenced:
The vulnerability specifically exists in the 'ezconfig.asp' handler of the httpd running on the internal interfaces, including, by default the wireless interface,"
Wow -- are they running windows server in a router? No wonder there are problems!

As far as patching -- of course routers get patched. That's what firmware updates are for. Linksys is still releasing firmware updates for a router I've had for five years. (Worth noting that in that time, NOTHING has gotten past it. Nothing. At all. On an always-on cable connection ) As far as recommending to not upgrade firmware -- I would say that you do not recall correctly. The only such warning I get says not to turn off the router while in the midst of flashing the firmware.

So yes, in theory it can give an attacker unhindered local access to your network (if the attacker was savvy enough-- unlikely), but they do first have to break the router's security. And in spite of what you've posted, this is no mean feat.

Re:three solutions (1)

Charan (563851) | more than 7 years ago | (#17030202)

As far as patching -- of course routers get patched. That's what firmware updates are for. Linksys is still releasing firmware updates for a router I've had for five years.

Making firware updates available isn't enough. They actually need to get installed. How many users do you think get them? How many do you think even know that a router has firmware that needs patching? Keep in mind that many Windows users wouldn't install patches until Microsoft forced them to. Yes, you can blame the users for being ignorant and for not keeping their system secure. That doesn't change the fact that unpatched, vulnerable routers are present in droves on the net.

Worth noting that in that time, NOTHING has gotten past it. Nothing. At all. On an always-on cable connection

What you mean is you haven't noticed anything getting past it. Detection methods aren't doing too great, according to the Security Absurdity article. I don't doubt your spirit. I don't think I would notice if my router got infected either. But in all honesty, you're probably right.

As far as recommending to not upgrade firmware -- I would say that you do not recall correctly. The only such warning I get says not to turn off the router while in the midst of flashing the firmware.

Yep. Went ahead and looked it up, and you're right. Nowhere does it say, "Don't upgrade!" However, it does give this message:

If the Router's Internet connection is working well, there is no need to download a newer firmware version, unless that version contains new features that you would like to use. Downloading a more current version of Router firmware will not enhance the quality or speed of your Internet connection, and may disrupt your current connection stability. - WRT54G User's Guide, p. 70.

Re:three solutions (1)

TubeSteak (669689) | more than 7 years ago | (#17029598)

3. Buy a Windows machine, and put it behind a $20 router with a built-in firewall.

Do you even need a firewall? Doesn't NAT auto-magically protect you?

rofl (1)

governorx (524152) | more than 7 years ago | (#17029820)

Auto-magically? And here I was looking for a fortified "barrier" spell to cast. Thank god I don't have to pretend to read and speak Latin, waive a pen in the air, and draw pentagrams on my boxes. Phew.. Dodged some bullets. Thanks. Thanks a lot.

Re:rofl (1)

Fred_A (10934) | more than 7 years ago | (#17030640)

Thank god I don't have to pretend to read and speak Latin, waive a pen in the air, and draw pentagrams on my boxes.
A fat lot of good that would do if you didn't wave the dead chicken anyway... ;)

Re:three solutions (2, Informative)

OldManAndTheC++ (723450) | more than 7 years ago | (#17029930)

Doesn't NAT auto-magically protect you?

It does until someone tells little Johnny to DMZ his machine so his game will work.

Fix: use router passphrases that the delinquent is unlikely to guess, like "work is its own reward" or "idle hands are the devil's tools"

Re:three solutions (1)

Chabil Ha' (875116) | more than 7 years ago | (#17029768)

Sure that blocks malicious people from getting in. What happens if users unwittingly download a trojan while surfing on the net? Now Mr. Keylogger etc. has unfettered access out. Yes, now it's really that much more secure. I'm more afraid of malicious code being accidentally executed on a computer than someone zombifying the machine from outside...

Re:three solutions (2, Interesting)

bcrowell (177657) | more than 7 years ago | (#17029856)

I wasn't claiming to have found the magic solution to all security problems. I was just claiming to have found three pretty simple solutions to one particular security problem referred to in the article: the situation where your brand-new computer gets owned while you're still in the process of downloading security updates.

What I object to about the article is that it makes it sound like security is a disaster for everybody. No, actually security is a disaster for everybody who hasn't learned certain skills. Those people happen to be more than 50% of all internet users, but they're still not everybody. The problem is that we're living in a world where a computer user has to be able to do the equivalent of changing the oil in his own car -- some people can, but most people can't.

Now correct me if I'm wrong... (1)

patio11 (857072) | more than 7 years ago | (#17029832)

... but I was under the impression that most "brand new expensive computers" would be running Windows XP with SP2 pre-installed, and that comes with a firewall which, while not exactly a suit of platemail, will certainly suffice to make sure that any security vulnerability exploited on your own machine came in from a connection you authorized.

Somebody tell the security writer what "trojan" means, by the way. I mean, I might have abandoned my history major halfway through, but I don't remember the moral of the story being "Beware when large wooden horses are outside your wall, because that means when you go on a coffee break the large wooden horse will teleport inside your wall, and then disgorge Greeks".

Re:three solutions (2, Informative)

MrNonchalant (767683) | more than 7 years ago | (#17029888)

Or:
4. Realize that doesn't happen anymore because the firewall that ships with SP2 is an adequate defense.

Network worms targeting out-of-the-box Windows boxes are a thing largely of the past. What may happen is after two months of using the computer and clicking "OK" to those pesky dialogs asking for exceptions to the firewall one of those services may be insecure enough to allow a remote attack. She or he might also get themselves infected via some other method, like surfing the uglier parts of the web with IE6 or opening an executable attachment.

Re:three solutions (1)

1310nm (687270) | more than 7 years ago | (#17030326)

4) Slipstream your own patched SP2 disc so you'll have the ICF and won't be vulnerable to bot exploits from the moment you reboot following an install.

I'll go out on a limb here... (2, Insightful)

alshithead (981606) | more than 7 years ago | (#17029392)

I'm not sure we are experiencing a "profound failure" of security. "Profound" is a pretty extreme description. To me it implies a whole lot more problems than we really see. Hacking multiple power utilities to fail an entire country's grid might apply. What we really see is the failure of a fair number of ignorant individual users to secure their systems and some odds and ends type of security breaches of business and government entities. It's not like the major stock markets of multiple countries are being brought down or nukes have been launched. That could always potentially happen but what kind of really dire (profound) consequences have been seen?

1,000 Cuts (4, Interesting)

Kadin2048 (468275) | more than 7 years ago | (#17029510)

Well, I would be with you, except that if you believe the numbers in TFA (the original, not in the comments), cybercrime is more profitable than the illegal drug trade. I assume there's probably even more money being spent trying to prevent and defeat cybercrime, and on security. That's a lot of money diverted from legitimate enterprise, and a lot of missed opportunities.

When people don't trust technology and don't use online banking, then banks don't spend as much on it. Venture capital and other sources of funding start to dry up; the pace of development slows.

It's not a problem that's probably going to result in a city being vaporized overnight, but that doesn't mean it's not a problem. It's like muggings in a large city: sure, you can wave it off and say that it only happens to tourists, rubes, and the unwary -- why should street-smart people care about it? -- but over time it starts to take its toll everywhere. The economic cost alone starts to act like a tax on everything, and it drives away customers and new business.

People who understand computers and know what precautions to take to prevent being victimized, cannot just put their heads in the sand about the current situation. Particularly since most people who are capable of understanding the problem, earn their living in some technology-driven field, it's those people who stand to be affected by the 'downstream' effects of cybercrime and a culture of insecurity.

Re:1,000 Cuts (1)

alshithead (981606) | more than 7 years ago | (#17029554)

You make a great point but don't address my point of the use of the word "profound". I'm currently working for a VERY large bank and it doesn't seem to be significantly impacted. From my admittedly biased view they seem to be putting a lot more resources into expanding their IT based offerings than fighting bad guys. Between their offerings for private individuals, small businesses, large corporations, and other banks it seems most of what they do is try to offer more services. They definitely aren't running scared. I see "profound" to be affecting a whole lot more than just having to convince the bank that someone stole money from my account.

Re:1,000 Cuts (1)

Phleg (523632) | more than 7 years ago | (#17030086)

I reserve the right to think for myself. Others' opinions are optional. Puppy on lap = typo's...not illiteracy.
I presume the spurious apostrophe was his fault, then? :)

Re:I'll go out on a limb here... (1, Interesting)

Anonymous Coward | more than 7 years ago | (#17029764)

I recently made a fresh install of Windows 2000. I connected to the internet (to download security patches) and within forty seconds, no-I-am-not-exaggerating, my computer was compromised and using all its' bandwidth to send god-knows-what. The installation saga ended after the third reinstall -- virus and malware scanners being completely ineffective -- on which I installed all the security updates from a CD before connecting. The phrase didn't actually come up at the time ("f*cking ridiculous" did), but looking back the situation seems like profound failure of a fairly high degree. It's odds on whether that or the time I ended up moving the CD reader head manually is my silliest install story, but the latter at least was caused by hardware failure.

I don't know about dire, but I wouldn't be surprised in the slightest if the sum economic impact of the situation is larger than some countries' GDP.

Just another ad for Micro$oft? (2, Interesting)

JayTech (935793) | more than 7 years ago | (#17029544)

Is this just a FUD ad for Microsoft's " Trustworthy Computing" or what?

Microsoft's work in training developers company-wide in secure coding practices is virtually unparalleled among major software vendors, and has resulted in their Security Development Lifecycle (SDL), a formalized process for incorporating secure coding and security testing into every phase of a product's lifecycle. Their Trustworthy Computing initiative so far looks like a success; one that has transformed Microsoft's and much of the industry's thinking about security in just four years.

Vista goes a long way in bringing protection mechanisms such as User Access Control, Kernel Patch Protection, Mandatory Driver Signing & Address Space Layout Randomization to mainstream computer users. If there is going to be any improvement of the current cybersecurity situation, it has to start with the operating system. In this regard, if Microsoft delivers on their promise to produce a secure operating system, it will be an important milestone for cybersecurity, and quite possibly a start to a security revolution. Vista also launches Microsoft's entry into the security space with anti-malware products and services such as Windows Defender, OneCare, and Forefront. The insufficiencies of today's anti-malware software have long been known. Microsoft's entry into the security space will force security vendors to innovate or be pushed out of the market. I, for one, applaud Microsoft's recent efforts and results. I predict that Vista will have quite a positive effect on the overall state of computer security and we may see a Vista Ripple Effect throughout the industry.

Is it really that big a problem? (0)

Anonymous Coward | more than 7 years ago | (#17029558)

For most people, I would think that computer security just isn't that prominent. A friend of mine works in network security, and if I talk to him, of course it sounds like computer security is a huge problem. But that's his job - what he looks at day in and day out. Talk to a plumber, you'll probably hear about how much damage is caused by clogged drains.

Maybe we've been lucky, or maybe we just don't know that spyware is installed - but out of a few dozen Windows machines (hidden behind a firewall) and a couple of linux boxes, all haphazardly maintained, we have very few malware/virus problems. I think I've seen 2 since 2000 (one, a web browser exploit that displayed ads all the time; another, a worm that exploited SMB on Windows). Annoying, but not all doom and gloom.

Now, security does seem to be poorly done. But firewalls/NAT devices seem to take care of most of it for now - at least until IPv6 rolls out and everyone's directly exposed on the network.

The figure in the article - that the take from computer crimes is now more than that from illegal drugs - is shocking. But, it seems like it is mostly a problem for banks...not something that is very obvious to us end users.

Don't wait for Micro$oft when you could be free. (0, Troll)

twitter (104583) | more than 7 years ago | (#17029736)

A beautiful pair of articles but they fall apart when considering Vista.
I, for one, applaud Microsoft's recent efforts and results. I predict that Vista will have quite a positive effect on the overall state of computer security and we may see a Vista Ripple Effect throughout the industry. However, technology alone will not solve the security challenges and how well Microsoft has implemented the security features in Vista is still yet to be determined.

It's amazing that he can do such a great job of documenting failure but then recommend vaporware from a disreputable company over proven and easy to use solutions.

Today we REQUIRE that individuals that just want to do their jobs, communicate with colleagues or play games online (i.e., normal and common behavior) have to become advanced computer users in order to do so.

Bull! Free software and Mac both offer easy fixes that are available today. My life is much easier because of the way free software deals with the problems he mentions. Kmail displays all of my mail in plain text but an html rendering is only a button click away. There's not much I can do about all of spam my neighbors send me, but I know I'm not sending it and what little gets through my ISP and then my own filters is not going to make a bot out of my machine. Oh yeah, whitelist filters in my mail client make sure that mail I care about gets put where it belongs. I'm not going to delete a letter from my mom while cleaning out the inbox because my client puts the mail in a folder labled "mom" leaving the spam behind. For those that complain that installing and using free software is too hard because there's not enough vendor support (thanks to M$!), I recommend a Mac. Apple has brought a lot of the technical achievements from the free software world to the public. It's a shame they don't also give them their freedom, and that does reduce Apple's ability to keep ahead of the bad guys, but the platform is usable and safe for "normal" use by non experts. At less than $600, the mini is also affordable. That and or the big $0.24 it costs to burn a Mepis CD are all it takes to escape the Windoze dissaster.

Why is it that he overlooks these two excellent options and praises an OS that's still as buggy as all hell from a company with a history of empty security prommisses amped by billions in advertisement spending?

How to advocate free software (0)

Anonymous Coward | more than 7 years ago | (#17029982)

twitter, please read this carefully. Following this advice will make Slashdot a better place for everyone, including yourself.

  • As a representative of the Linux community, participate in mailing list and newsgroup discussions in a professional manner. Refrain from name-calling and use of vulgar language. Consider yourself a member of a virtual corporation with Mr. Torvalds as your Chief Executive Officer. Your words will either enhance or degrade the image the reader has of the Linux community.
  • Avoid hyperbole and unsubstantiated claims at all costs. It's unprofessional and will result in unproductive discussions.
  • A thoughtful, well-reasoned response to a posting will not only provide insight for your readers, but will also increase their respect for your knowledge and abilities.
  • Always remember that if you insult or are disrespectful to someone, their negative experience may be shared with many others. If you do offend someone, please try to make amends.
  • Focus on what Linux has to offer. There is no need to bash the competition. Linux is a good, solid product that stands on its own.
  • Respect the use of other operating systems. While Linux is a wonderful platform, it does not meet everyone's needs.
  • Refer to another product by its proper name. There's nothing to be gained by attempting to ridicule a company or its products by using "creative spelling". If we expect respect for Linux, we must respect other products.
  • Give credit where credit is due. Linux is just the kernel. Without the efforts of people involved with the GNU project , MIT, Berkeley and others too numerous to mention, the Linux kernel would not be very useful to most people.
  • Don't insist that Linux is the only answer for a particular application. Just as the Linux community cherishes the freedom that Linux provides them, Linux only solutions would deprive others of their freedom.
  • There will be cases where Linux is not the answer. Be the first to recognize this and offer another solution.

From http://www.ibiblio.org/pub/linux/docs/HOWTO/Advoca cy [ibiblio.org]

What the...? (0)

Anonymous Coward | more than 7 years ago | (#17030090)

documenting failure but then recommend vaporware

Failure? It hasn't even been released yet. And how can you call it vaporware? Have you used the betas or RCs??

Kmail displays all of my mail in plain text but an html rendering is only a button click away. [...] Oh yeah, whitelist filters [...] client puts the mail in a folder labled "mom" leaving the spam behind.

ROFL, WTF?? Wow, none of the Windows-based email clients do that! That's amazing!!

Why is it that he overlooks these two excellent options

What, buy a Mac Mini or... install Mepis? Are you joking?

M$ [...] escape the Windoze dissaster [...] still as buggy as all hell

Man, is this the new breed of "intelligent advocacy" coming out of the FSF? That's so sad.

This is go4tsex (-1, Troll)

Anonymous Coward | more than 7 years ago | (#17029792)

The c4annel To sign

Windows and vulnerabilities (4, Informative)

Epsillon (608775) | more than 7 years ago | (#17029796)

I know what you're thinking, mods. But it isn't just another "don't use Windows" post. TFA seems to concentrate on the dominant OS, so i will do the same.

I remember talking someone through setting up Tiscali broadband a few years ago using a Speedtouch and the Tiscali CD. His brand new, shiny Windows XP machine became infected over the connection in under 4 minutes. It's a classic catch-22 situation: You can't update your OS without a connection and you can't go online safely until you've updated your OS.

How about this: Virtualisation is a reality on most machines nowadays. Why doesn't MS use this technology to set up a simple one-time VM to connect and download from a single SSL connection, the public key of which is compiled into the VM, ignoring all other traffic with the single focus of fetching the patches for the worst vulnerabilities, those which have remote exploits? If this were mandatory before enabling the general TCP/IP stack for WAN connections, Joe Sixpack wouldn't be participating in quite so many botnets. Hello! New connection not in my private address checklist. Disable TCP/IP and get the updates before releasing the user to the big, bad Internet. Please wait whilst I sort my ragged arse out and stop you from becoming another statistic...

Or have I simply made the problem too simplistic in my own mind? It seems to me that a single connection from a single port over SSL with no intermediate DNS or man-in-the-middle stages makes sense, even more so if part of the download is the MD5 hash of the update image and the VM rejects any image not matching that.

Bear in mind that the above idea works only for machines using a direct non-RFC1918 or draft-manning address for Internet connections. Those using routers should already be protected from the worst culprits, attack vectors which utilise services running by default, as these usually cannot traverse NAPT, but the feature should include the option to enable manual initialisation over such connections.

Too simple?

Re:Windows and vulnerabilities (1)

IamTheRealMike (537420) | more than 7 years ago | (#17030114)

The problem is old versions of Windows had open ports. You don't need a VM to fix that, just close those open ports (which is what a firewall does, essentially). New versions don't have open ports, but to get an old version to be a new version, you have to download the update (or simply enable the firewall yourself - hardly rocket science). So not "too simple", just "too complicated".

Re:Windows and vulnerabilities (3, Interesting)

Epsillon (608775) | more than 7 years ago | (#17030468)

Yes, Mike. Not rocket science *for us*, but we seem to continue making the same mistakes most IT pros make when dealing with technology: That because it's simple for us, it's simple for everyone. It's not. Firewalls aren't understood by everyone. Heck, a lot of post-September users think fairies [1] deliver web pages.

The reason I suggest a VM is to jail the security update network stack from the main kernel. If you have, for example, a buffer overflow that allows arbitrary code execution in kernel space TCP/IP, you really don't want that running in your main kernel with a public connection; you want it jailed and only when the data is verified and checked against its hash do you want to apply the update image. If the jailed or virtual kernel becomes corrupt, it can be killed without harming the host OS. Detecting the jail doing something nasty should be simple; it should simply talk to one IP and download an image and hash file. If it starts opening other ports, kill it immediately. In fact, simply make the jailed process capable of only talking to the one host on one port. Useless for users and crackers, but just enough to update the OS safely.

I know it's heretic of me in the extreme to suggest the OS takes away a choice, that of diving into the big electronic blue without care or conscience, but a lot of Windows users (and maybe a few others) need these safety nets, if for no other reason than to keep the rest of us safe and our mail servers from fending off spam floods from botnets.

Doing this retroactively isn't an option; users of Windows up to and including Vista gold are now SOL for this idea, which is sad, especially given that Vista has a working out-of-the-box IPv6 stack. You think it's bad now? Just wait until every new machine has it's own publicly routable IP.

The idea, or any such protection mechanism, *must* be implemented in the first RTM version of the OS to work effectively, or at the very least a service pack or point release that OEMs will pre-install. That means in the future, but it is imperative now that IT pros start thinking long-term rather than trying to tidy up their mistakes of the past. These problems cannot be solved by dwelling on mistakes made, just mitigated by exploiting obsolescence and helping time heal.

[1] http://www1.uk.freebsd.org/doc/en_US.ISO8859-1/boo ks/faq/funnies.html [freebsd.org] with apologies to Paul from the UK mailing list for quoting him out of context.

Re:Windows and vulnerabilities (2, Informative)

drsmithy (35869) | more than 7 years ago | (#17030374)

I remember talking someone through setting up Tiscali broadband a few years ago using a Speedtouch and the Tiscali CD. His brand new, shiny Windows XP machine became infected over the connection in under 4 minutes. It's a classic catch-22 situation: You can't update your OS without a connection and you can't go online safely until you've updated your OS.

Yes, you can. Just enable the firewall first.

How about this: Virtualisation is a reality on most machines nowadays. [...]

Holy overengineering, batman ! Did you actively try and come with such an incredibly complicated way of avoiding any incoming network connections, or did it just fall out of its own accord ?

Too simple?

Vastly more complicated than it needs to be. All you need to do is not allow any inbound network connections or, indeed, any network connectivity at all until the user has updated (or acknowledged the risk). Which is, incidentally, what Windows has been doing for years now.

Re:Windows and vulnerabilities (1)

Sub Zero 992 (947972) | more than 7 years ago | (#17030432)

You can't update your OS without a connection and you can't go online safely until you've updated your OS.
Of course you can. Windows XP has any number of tools available to restrict TCP/IP activity to certain ports / protocols. If you only know how to insert a CD and click on install, you shouldn't be "configuring" someone elses computer to go go walking naked on the internet.

This is a classic example of some poorly educated [l]user f*cking up his computer by misapplying limited knowledge and then blaming the OS for their own incompetence. Next time I hit my thumb instead of the nail with a hammer, I'm suing for damages too! You betcha.

All about user experience (1)

Delifisek (190943) | more than 7 years ago | (#17030288)

Using Firefox, Thunderbird and plus some antivirus program (like kaspersky) will save your ass. Of course I do not use my online banking accounts with windows.

And average Windows user does not know other than IE, Outlook, Office etc.

This is main problem, they do not know hot to protect themselves...

Adult pornography? (3, Funny)

clacke (214199) | more than 7 years ago | (#17030296)

Sometimes Spyware can cross the line when it expose adult pornography to children.


Yes, this is clearly over the line. I mean, had it at least been child pornography, that would have been acceptable, but noo, they had to go all the way.

Hyperbole, meet Craptacular (0)

Anonymous Coward | more than 7 years ago | (#17030552)



FTA: "Often critical patches released by Microsoft which are intended to protect their customers, instead causes system hangs and crashes."

And one example is provided, about an HP shell program that didn't work after a patch. Count me confused why this is described as, "often...". Credibilitiy is lost for the entire angst-ridden piece. God! where is Phil Donahue in all this? Messing with the text size doesn't score well, either.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>