Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

The 'Malware Economy' Evolves

Zonk posted more than 6 years ago | from the when-blackmail-is-business dept.

Security 100

superglaze writes "ZDNet UK has a feature on how the malware economy is turning into a recognizable traditional IT economy. Leasing botnets? Malware support? Welcome to the new age of computing. As the piece suggests, it's all gone Darwinian. 'One indication of the maturity of the black economy, according to Telafici, was the recent case of a hacker who wrote a packer [software used to bypass antivirus protection], "threw in the towel recently as it wasn't profitable enough -- there's too much competition. They opened the source code and walked away."'"

cancel ×

100 comments

Hey Hey! (-1, Offtopic)

Anonymous Coward | more than 6 years ago | (#21699206)

Second Post. Gumbie.

Botnet THIS $#$%#@@@ (-1, Troll)

Anonymous Coward | more than 6 years ago | (#21699452)


War Criminal [whitehouse.org] .

Oblig.. (1, Offtopic)

fizzer82 (1201947) | more than 6 years ago | (#21699222)

Cracker not hacker!! ARRRGGHHHH OMFG the mainstream media is screwing us geeks over again.

There whining is covered, please continue with OT discussion...

Re:Oblig.. (5, Funny)

CaptainPatent (1087643) | more than 6 years ago | (#21699276)

So you're saying the editor is a slacker and the hacker who wrote the packer should be a cracker?

Re:Oblig.. (0)

Anonymous Coward | more than 6 years ago | (#21700648)

Give this man an award!

Re:Oblig.. (0)

Anonymous Coward | more than 6 years ago | (#21701730)

But can you say that again, three times, very fast?

Re:Oblig.. (1)

ScrewMaster (602015) | more than 6 years ago | (#21705334)

Yeah ... he's quacker who once worked for Stacker, but now he's just a slacker cracker with no backer.

Re:Oblig.. (1, Troll)

Frosty Piss (770223) | more than 6 years ago | (#21699326)

A "cracker" is a "hacker".

Re:Oblig.. (0)

Anonymous Coward | more than 6 years ago | (#21699440)

Give it up. That ship sailed 20 years ago.

Crackers can be hackers but usually script kiddies (1)

billstewart (78916) | more than 6 years ago | (#21700380)

Most crackers aren't hackers - they're just script kiddies or [NYCaccent]biznessmen[/NYCaccent] running software and services they didn't develop themselves and may not have even customized much.

These days there's enough division of labor that the hackers who develop malware aren't the people who run most of it. Sometimes the hackers are individual shops, and sometimes they're working for mafiya guys, and there's enough volume out there that hand-crafted malware isn't as necessary. For instance, if you want to take somebody's system offline, you don't have to crack into it anymore, either as a hacker or script kiddie running cracking tools - you can just DDOS it using the bandwidth of a bunch of zombies, and instead of doing it for fun, you can be in the commercial extortion business.

Re:Crackers can be hackers but usually script kidd (0, Troll)

Frosty Piss (770223) | more than 6 years ago | (#21700538)

Most crackers aren't hackers - they're just script kiddies...
You may not like it, it may hurt your ego a bit if you define yourself as a "hacker", but the truth is that "Skript Kiddies" are "hackers" too, just not very good ones.

The whole termonology is silly anyway.

Hacker v Cracker (1)

Z34107 (925136) | more than 6 years ago | (#21701764)

Please look at the definition of hack [catb.org] and how it's different from cracking [catb.org]

For those who hate reading: A hack is pretty much a clever trick. A crack is something that does all that security breaking stuff.

Re:Hacker v Cracker (1)

BorgCopyeditor (590345) | more than 6 years ago | (#21702532)

Yes, and breaking through someone's supposedly invulnerable security undetected is a pretty clever trick.

Re:Hacker v Cracker (1)

Z34107 (925136) | more than 6 years ago | (#21702750)

If you were the one who did the original breaking and figured everything out.

If you're some kind of script kiddie using said programatic ingenuity without any comprehension or understanding, you are most definitely not a hacker.

Crackers are the Bards making "Use Magic Device" checks. Hackers are the Wizards with ranks in "Craft Wondrous Item." Oh wait, that didn't involve cars...

First post? (-1, Troll)

zaunuz (624853) | more than 6 years ago | (#21699226)

all hail http://www.vumit.com/ [vumit.com]

This shouldn't have surprised anyone (4, Informative)

damn_registrars (1103043) | more than 6 years ago | (#21699288)

Really, we've been talking about the Economic basis of spam [slashdot.org] for some time. I've commented [slashdot.org] and journaled [slashdot.org] on how the economics of spam make most current solutions meaningless in the greater fight.

So now when we see yet another article discussing the money that is made in malware, particularly the botnets that drive spammers, there's no reason why anyone should find this surprising.

Re:This shouldn't have surprised anyone (0)

Anonymous Coward | more than 6 years ago | (#21699358)

what we need is a marketing programme informing people of the reasons why not to buy from a spammer.

Re:This shouldn't have surprised anyone (4, Funny)

jefe7777 (411081) | more than 6 years ago | (#21699482)

absolutely, and we'll pay to have a couple of botnets to get the message out!

Re:This shouldn't have surprised anyone (1)

ahaning (108463) | more than 6 years ago | (#21699704)

It's a good thing you linked to that previous story, your post, and your journal, because unlike you and me, most other people don't read and remember every Slashdot article, post, and journal. Now that I actually take the time to click on those links, they're all from the past two weeks!

Re:This shouldn't have surprised anyone (1)

damn_registrars (1103043) | more than 6 years ago | (#21701082)

they're all from the past two weeks!


If you'd like, you could also read my journal entry from September 30th [slashdot.org] where I discussed the economic role of spam, and why filtering is the wrong answer. I know I also discussed it in forums starting then or earlier, but as I am not a subscriber, I can only look at my own last 24 postings from my page here.

If there was an easy way for me to peruse my own old postings, I could show some of my earlier messages to this same effect. These more recent ones were just easier to access quickly.

Re:This shouldn't have surprised anyone (1)

Recovering Hater (833107) | more than 6 years ago | (#21699708)

I knew an old lady who swallowed a fly. I don't know why she swallowed the fly. I guess she'll die.

It's all the economy of the threat escalation / threat deterrence software industry.

moderation for fun & profit (0, Offtopic)

damn_registrars (1103043) | more than 6 years ago | (#21702264)

I'm enjoying watching my comment get moderated up and down. As of this message, it has been moderated at least 4 times.
  • Starting score = 1 (I passed on the karma bonus)
  • +1 Informative -> Score = 2
  • +1 Informative -> Score = 3
  • -1 Overrated -> Score = 2
  • +1 Informative -> Score = 3

Re:This shouldn't have surprised anyone (1)

sethawoolley (1005201) | more than 6 years ago | (#21706854)

Looking at your journal, it's clear you're a raving idiot. Spam is caused by bad registrars, you say!

Whatever. When we finally get registrars to pull spam sites, if we actually DID want them to do that, they'd just use IP addresses -- or should we make using an IP address illegal, too?

I don't know what your angle is, but it sounds like you just need to calm down and change email addresses to a subdomain. Nobody Rumpelstiltskins those, of course. It essentially ENDS spam. 99% solution. When I changed my address to a difficult to detect email address, my spam rate went to zero. I've been using it for two years, and I get a spam about once per week that I don't even notice as it's from somebody in Nigeria who is a real person who actually does go to my website (where it's encoded somewhat of a riddle). I love fishing them though, I've had a guy call me about twenty times back and forth once from Uganda until I finally told him he'd been had and that the address I gave him was for George Bush's White House.

Then again, I only give out my email address to people who use computers that don't get viruses that farm email addresses to spammers.

Seth

Interesting feedback... (1)

damn_registrars (1103043) | more than 6 years ago | (#21708282)

Looking at your journal, it's clear you're a raving idiot

Looking at your comment, its clear you didn't actually read the journal entries. But we'll continue on...

Spam is caused by bad registrars, you say!

No, I said that bad registrars allow spam to happen by being complacent. Those are two very different statements. Your statement carries an implication that you feel I'm aiming to say that registrars are themselves sending the spam. This conclusion is patently false. I am saying that there are complacent registrars that are making money from spam and hence are not willing to do their part to stop spam.

But thanks for playing, anyways.

When we finally get registrars to pull spam sites

We'd have a good start. Except I suspect you're not actually reading my comments accurately and its not even clear that you understand the different between a registrar, a webhosting company, and an ISP. But we'll continue on...

they'd just use IP addresses -- or should we make using an IP address illegal, too

First, I didn't propose making anything illegal. ICANN has no legal authority over anything, anywhere. How you read anything that I wrote and took it to mean 'illegal' is beyond me.

But nonetheless, you are missing the point. Spammers use domain names because they're convenient. If you look up a spamming domain, you'll find that the spammers own a lot more than just the spamvertised domains. In particular, the domains that provide DNS for resolving the spamvertised domains are themselves owned by spammers.

This mutli-level scheme that the spammers run allows them to very rapidly change the mapping for their domains so that even if one ISP shuts them down or disconnects them, they can re-map to another IP, and the spamvertised domain still goes where they want it to. Or do I need to explain DNS to you as well?

but it sounds like you just need to calm down

Thats a curious statement coming from someone who opened their comment by calling me "a raving idiot".

and change email addresses to a subdomain

OK, I could start by pointing out that you didn't really write a sentence there, but I'll leave your grammar alone and critique instead your lack of logic. Of all my email addresses, the one I have that gets the most spam is in a subdomain - username@aaa.bbb.edu. It pulls in at least 40 spam emails daily. Just because it works for you, doesn't mean it will work for everyone. Besides, the spammers will eventually come up with a way to probe those, as well, and then you'll be right back where you started.

But I'll just let you think that you solved the problem with your interesting solution instead.

And of course, your "solution" does nothing for all the people who use the likes of hotmail/yahoo/gmail for their email. You can say what you want about them, but thats a lot of people who couldn't use your answer if they wanted to.

Re:Interesting feedback... (1)

sethawoolley (1005201) | more than 6 years ago | (#21714960)

They have a distributed botnet. They'll just distribute the http traffic over the botnet and deliver the payload via a decentralized onion-style network, again, on their botnet, like tor. Or they'll just use p2p technology and a pki that allows them to be the only ones able to decrypt the data stuffed into it.

Going after the registrars will only be a temporary solution.

You're right that as long as they make money, they'll keep doing it.

People just need to learn not to send money to a site without a browser-confirmed TLS certificate, let alone never buying anything off of a spam message or even doing simple basic research. All the people losing money due to spam, frankly, deserve it.

That still means it sucks for the rest of us, but it's not that much of an inconvenience. But that's the trade-off. In this case, a lot of freedom translates to speech you didn't want. Grow up.

Re:Interesting feedback... (1)

damn_registrars (1103043) | more than 6 years ago | (#21716708)

They have a distributed botnet. They'll just distribute the http traffic over the botnet and deliver the payload via a decentralized onion-style network, again, on their botnet, like tor.

The current accepted model is that the spammers pay for time on the botnet. That makes it easy to dump a ton of spam through it, because that doesn't take long. I doubt that the spammers really want to use the botnet for web hosting, where they would potentially want to rent it for days. And beyond that, the dynamic nature of their botnet would require a mess of routing in order to make sure that the http and https requests get to systems on the botnet that are up.

Going after the registrars will only be a temporary solution.

Let me know when you start seeing a large amount of spam that doesn't refer to the websites by a domain name. Well over 99% of the spam, and likely a solid 100% of the phishing emails that I see rely on using a domain name in the link, likely for the reasons that I've outline before. The spammers just don't have as much to gain by using a numeric address over a domain name. If they change their game drastically, I'll then concede that point.

You're right that as long as they make money, they'll keep doing it.

Which is exactly why running from spammers (as per your suggestion) is futile. They'll find you eventually. Ditto for anyone who thinks that spam filtering is a good answer - it's only a matter of time until any given filter is circumvented by a creative spammer, and then new filtering has to be devised. We can play whack-a-mole with the spammers, or we can actually work to stop the mechanisms that they use. Take your pick.

browser-confirmed TLS certificate

Granted, I've never purchased anything from a spamvertised domain. But when I have looked at their sites, they do say that they have TLS security, which is as much (if not more) than most people would look for. Same sites do everything they can to reassure you that your transaction is secure and legit. Whether or not it is, well thats of course very debatable. Considering most people probably will just look for the lock icon in their bottom right corner, and they'll almost always trigger it, I don't think you can really ask for a whole lot more for reassuring the users.

ll the people losing money due to spam, frankly, deserve it.

Thats extremely condescending, but I guess it matches your tone from your first reply. You also seem to be overlooking the fact that many of these spamvertised sites are targeting extremely vulnerable people. Have you considered how many people are online now that are on medicare / medicaid? If you tell these people that they can buy their prescriptions for less than half the usual price, they'd love to listen. And then if your site looks legit, and authenticates legitimately, they may well fall for it. Do 80+ year old senior citizens really "deserve" to be taken advantage of by criminals?

In this case, a lot of freedom translates to speech you didn't want. Grow up.

If you want to discuss freedom of speech issues, you should start by acknowledging the fact that the 1st amendment doesn't guarantee that people will be forced to listen. And furthermore, there are fraud laws that need to also be taken into consideration, things like insider trading. So I'm afraid your argument that spam should be protected just simply doesn't hold water. But thanks for playing.

Re:Interesting feedback... (1)

sethawoolley (1005201) | more than 6 years ago | (#21718146)

Let me know when you start seeing a large amount of spam that doesn't refer to the websites by a domain name. Well over 99% of the spam, and likely a solid 100% of the phishing emails that I see rely on using a domain name in the link, likely for the reasons that I've outline before. The spammers just don't have as much to gain by using a numeric address over a domain name. If they change their game drastically, I'll then concede that point.
All my spam currently is 419 spam. I don't get fished. Thus there's no domain name in the link, so concede your point.

Thats extremely condescending, but I guess it matches your tone from your first reply. You also seem to be overlooking the fact that many of these spamvertised sites are targeting extremely vulnerable people. Have you considered how many people are online now that are on medicare / medicaid? If you tell these people that they can buy their prescriptions for less than half the usual price, they'd love to listen. And then if your site looks legit, and authenticates legitimately, they may well fall for it. Do 80+ year old senior citizens really "deserve" to be taken advantage of by criminals?
Yeah, the old people vote Republican, so I say fuck them. They're borrowing off my future taxes. FUCK THEM!

And did you ever take a look at the percentage of spams for male enhancement? I just opened up an old gmail account that's been spammed constantly despite never having been used. 95% of them are for male enhancement. That must mean 95% of the victims are assholes (republicans, too) who are inadequate about the size of their dicks. That is, if I'm allowed to extrapolate from such a thing, which you feel ok to do. The only cheaper prescriptions I've seen are for male enhancement drugs, not any other drugs. They aren't targeted because they don't have money.

If they don't like the nanny state, unless it helps them, then the nanny state shouldn't help them avoid getting taken by some words by some random untrusted individual.

Re:Interesting feedback... (1)

damn_registrars (1103043) | more than 6 years ago | (#21724252)

All my spam currently is 419 spam. I don't get fished. Thus there's no domain name in the link, so concede your point.

Except that spam is, by definition, unsolicited advertising. Nothing is advertised for sale in 419 spam, thus you are missing the point. Therefore no concession is necessary nor will any be given. Nice try, though.

Yeah, the old people vote Republican, so I say fuck them. They're borrowing off my future taxes. FUCK THEM!

If you were trying to make a point with that statement, I have no idea what it is or was. Unless you're just aiming to demonstrate the non-sensibility of the karma bonus here on slashdot.

The only cheaper prescriptions I've seen are for male enhancement drugs, not any other drugs. They aren't targeted because they don't have money.

Well, thats you own experience with spam. I see quite a few spam emails that offer plenty of other drugs. Heck, I have several in my box right now that offer valium, and / or human growth hormone. And when I checked out a couple just to see how deep their list was, they had pretty much every prescription drug I could imagine, on a website that claimed to have secure checkout. Many of the drug spammers run pretty complicated operations.

If they don't like the nanny state, unless it helps them, then the nanny state shouldn't help them avoid getting taken by some words by some random untrusted individual.

What? Thats an amazing run-on sentence there, but what its trying to say, I'm not sure. If you think that for some reason I'm trying to get the government to stop spam, then I can only conclude that you still haven't read what I wrote. The economic solution that I suggest needs to come from the registrars and the ICANN. Anyone who tries to legislate spam away is a fool, because very little spam starts, ends, and profits in just one country. Usually any given spam traverses at least 3-4 countries where someone is turning a buck off the profit. Good luck getting any such "nanny state" to solve that in any considerable way.

Re:This shouldn't have surprised anyone (0)

Anonymous Coward | more than 6 years ago | (#21716204)

Consider MMO gaming alone. I don't mean sales of in game currency. Most fan/informational sites for MMO games pay their hosting fees via adverts. Slip some malware in an advert with one of the advert partners for these sites, keylog some accounts, steal their virtual goods, sell it back to other players..That can a be a lot of cash really fast.

The only reason I know about this is because a lot of my friends just got nailed by malware that did just this to their accounts.

http://bluegartrls.com/forum/viewtopic.php?f=2&t=27256&st=0&sk=t&sd=a&sid=aed1ccae2f696a07b0b9e27142cf546b&start=150 [bluegartrls.com]

Open source malware? (1, Insightful)

spun (1352) | more than 6 years ago | (#21699302)

That's a FUD goldmine, or a FUDmine, if you will. Damn, OSS enemies will be crowing about this: "open source leads to VIRUSES and MALWARE! Open source hackers create programs to take over your computer, how can you trust them?"

Re:Open source malware? (1)

russ1337 (938915) | more than 6 years ago | (#21701430)

Open source hackers create programs to take over your computer, how can you trust them?"
This article is right on the tail of a post on Schneier's blog about Chinese kids winning hacking prizes.. funded by the PLA.. [schneier.com]

Hackers in the USA shouldn't be put out of business, they should be 'recruited' into cushy salaried jobs working for the Govt... One day they'll be the ones we HAVE to trust to defend us from attack.

Re:Open source malware? (1)

FLEB (312391) | more than 6 years ago | (#21704550)

The Phone Losers of America? Are they still around?

Re:Open source malware? (1)

alshithead (981606) | more than 6 years ago | (#21705498)

"Hackers in the USA shouldn't be put out of business, they should be 'recruited' into cushy salaried jobs working for the Govt... One day they'll be the ones we HAVE to trust to defend us from attack."

How about we lock them away for ten to twenty years or so while they are forced to work for the government and then let them out with a nice pension and lifelong monitoring? If we supply them with hookers and Mountain Dew while they're locked up they might not even care (or notice) that they're in prison.

Old news (0)

Anonymous Coward | more than 6 years ago | (#21699320)

(registration needed, fake credentials accepted [theregister.co.uk] ) There are dozens more sources of the same info.

Only high profit crime (3, Interesting)

Anonymous Monkey (795756) | more than 6 years ago | (#21699444)

This is only logical. A criminal will work for the quick buck. BnE is great when lots of people are leaving their windows open and you are the only burglar, but once every one is on the BnE bandwagonit's time to switch to mugging or extortion.

Re:Only high profit crime (4, Insightful)

binaryspiral (784263) | more than 6 years ago | (#21700120)

A criminal will work for the quick buck. BnE is great when lots of people are leaving their windows open and you are the only burglar, but once every one is on the BnE bandwagon, it's time to switch to mugging or extortion.

Like Patent trolling, DRM, or WGA.

When prey is plentiful... (1)

TheLazySci-FiAuthor (1089561) | more than 6 years ago | (#21699490)

...the predators will flourish.

Malware and ex-emailer (5, Insightful)

deviated_prevert (1146403) | more than 6 years ago | (#21699524)

As I receive spam my conclusion is that the majority of bot nets are created by people like my Aunt. She thinks she is safe because she uses some obscure malware and e-mail detection system that seems to have appeared like magic to rescue her from the perils of the net. However her windows 98 kernel has obviously been rooted and she does not even know it.

I keep getting spam traffic from her that is reassigned from a myriad of outlook express ex-emailers. I have told her that she will have to get her OS reinstalled but she just won't listen. I am afraid that the windows OS and the Microsoft way of computing has done little more than create a shit load of computer using zombies and little old ladies (like my aunt) who in blissful ignorance just keep up the status quo. The result of this blissful ignorance is that bot nets have become almost impossible to kill.

Re:Malware and ex-emailer (4, Interesting)

Opportunist (166417) | more than 6 years ago | (#21699658)

And this won't change as long as you're not responsible for your computer's actions.

We have a license for everything. You need a license to drive, to prove you're able to steer a car without causing a problem. We (at least here) need a license for a gun, so you prove you're not just some maniac who wants to kill his wife's sisters. But even for "non-lethal" things like some jobs you need to prove you're able to handle what's put into your hands sufficiently professionally that you don't cause harm to anyone else.

Now, I wouldn't really want a "driving license" for computers, but I'd very much enjoy seeing people taking some more responsibility for their computers and what they do to others on the internet. As we see now, this has become an economic problem. We waste a lot of bandwidth and work hours fighting spam, we have the sword of a DDoS looming over our heads due to botnets ready to strike, and it all boils down to people using rooted boxes and not even knowing it.

Before you start crying about your freedom to use the net, be aware that sooner or later our legislators WILL react. They have to, the pressure from the industry is already tangible. And in our current environment, the result is very likely not one where people get better educated and more responsibility, instead we'll probably see laws regulating what kinds of machines you may attach to the net (and the accompanying locking of "insecure" machines from participation), and we know the current definition of "secure". It will pretty much lead to machines so heavily DRMed that Vista looks like open source compared to it.

So either we start pushing towards more personal responsibility or we'll have something dumped on us that is the maybe least favorable alternative. Because the industry WILL start lobbying for protection from those rooted machines. And they don't care if you can use your computer for anything but playing prepared content. Actually, some would definitly like that.

Re:Malware and ex-emailer (3, Funny)

Colin Smith (2679) | more than 6 years ago | (#21699858)

Now, I wouldn't really want a "driving license" for computers, but I'd very much enjoy seeing people taking some more responsibility for their computers and what they do to others on the internet
http://www.ecdl.com/ [ecdl.com]

 

programmer's licence (1)

Grampaw Willie (631616) | more than 6 years ago | (#21700592)

you won't need a driver's licence but you will be needing a programmer's licence

in the form of a registered PGP signature

and you will be liable/responsible for your code

and for those without a registered and approved signature:

NO SIGNATURE? NO EXECUTE.

this hasn't been adopted as SOP yet but with the amount of hacking going on and Ms Windows continued promiscuity it is a rather likely direction

Re:programmer's licence (1)

Opportunist (166417) | more than 6 years ago | (#21703316)

That will only partly solve the problem. Or rather, it will shift the problem.

To create "secure" software, approved to be run in a tightly closed DRMified system, you'll need the "seal of approval" from some authority. That way you can avoid two "problems". First of all, the obivous one, malware. You can't get malware certified. But also software some companies would not want to exist. For example, software that lets you circumvent copy protection mechanisms.

And here's where the problem lies: People DO want that kind of software. So what will they do? They will find a way to disable this "security feature" and run their software.

And that in turn opens another box of Pandora's making. Because people already violate the terms of usage (or maybe even the law) by disabling those security features (to run their latest cracks and movie ripping software), they are quite reluctant to contact anyone when they notice some "strange behaviour" (read: malware infection) in their machine. Instead they will continue using their infested machines and not even think about calling some AV company.

In short, it will create more malware problems than it solves.

Re:Malware and ex-emailer (3, Interesting)

deviated_prevert (1146403) | more than 6 years ago | (#21699898)

I concur with what you are saying but what about the malicious propaganda side of things http://www.google.ca/search?hl=en&sa=X&oi=spell&resnum=1&ct=result&cd=1&q=linux+botnet&spell=1 [google.ca] It seems to me that there is also lots of miss information out there, mostly in the form of blogs from so-called security experts, trying desperately to defame open source software!

Re:Malware and ex-emailer (3, Funny)

Intron (870560) | more than 6 years ago | (#21700192)

I dated Miss Information for a while. The problem was her sister, Miss Conduct.

Re:Malware and ex-emailer (0)

Anonymous Coward | more than 6 years ago | (#21700336)

I also believe you dated the Maiden Taiwan and the Maiden Japan. Not to mention Miss Ogynation and Miss Anthrope.

Re:Malware and ex-emailer (1)

Intron (870560) | more than 6 years ago | (#21700892)

Lies. That was Mister E.

Re:Malware and ex-emailer (1)

stevefuzzy (1098783) | more than 6 years ago | (#21700126)

Licensing is clearly unrealistic. But how about charging some nominal fee (say $0.10, ala SMS) for each outgoing email msg? All of a sudden people will really care about how many outgoing emails their computer sends out, and you betcha if Aunty gets a nice hefty bill she'll make sure to reinstall the OS to get rid of that pesky (and costly) malware.

Re:Malware and ex-emailer (1)

Oliver Defacszio (550941) | more than 6 years ago | (#21700570)

If the gigantic bills stuck, yes, but they would never stick. The first time someone received a $10,000 invoice for all the e-mail his computer sent out because it was compromised, he'd wind up on TV being portrayed as the innocent victim who was waylaid by the evil hacker. Odds are, there would be some kind of public outcry that threatened the reputation of whatever governing body was responsible for collecting the fee, and the jackass would wind up paying not one cent.

It happens all the time. Gullible morons who get swindled somehow due to their own greed or stupidity are constantly portrayed as honest, hard-working victims by the media. Look what happens the next time some idiot in your local area loses a few thousand to Nigerian scammers, despite the fact that the scam is so old by now that most multi-celled organisms know that it's a bunch of baloney. Invariably, he or she will wind up on the news, holding a fake check, mewling about how it seemed genuine and real while other idiots nod gravely into their TV.

Personal accountability is a bloated corpse, my friend, so you can "charge" whatever you like for e-mail... it will just make a bunch of ISPs (or whomever is supposed to collect) look like the devil for trying to actually take money from allegedly bright, intelligent, honest people who just got taken for an "unavoidable" ride.

licencing unrealistic (1)

Grampaw Willie (631616) | more than 6 years ago | (#21701014)

nope it's the way to go

we need detection and response

detection is a technical point and we will need to change the rules to require you PGP signature for every piece of code published with the guide:

NO SIGNATURE? NO EXECUTE.

once we know who you are we can hold you responsible for your program and this is the RESPONSE aspect of security

don't think it won't happen and don't think it's silly. the current flood of maleware mandates improved security. detection and response are critical elements of security. as well as prevention. we like prevention best, but failing that we need to put any bad guys out of business

Re:licencing unrealistic (1)

init100 (915886) | more than 6 years ago | (#21701796)

I don't think so. A government-mandated signature system would probably rather use PKI. Your key would need a(n expensive) signature from Verisign or another "trusted" signer. That would also scare away hobby programmers, and leave programming an exclusive domain of major companies, which we all know never make mistakes, and when they do, they can afford a few millions in fines.

Re:Malware and ex-emailer (5, Funny)

myvirtualid (851756) | more than 6 years ago | (#21700310)

Your post advocates a
( ) technical (X) legislative ( ) market-based ( ) vigilante

approach to fighting spam.

Furthermore, your approach appears to require a level of international cooperation akin to
( ) Passing a meaningless UN resolution
( ) Negotiating a world wide free trade agreement
( ) private, i.e., commercial and civil, law
( ) Banning land mines
( ) Adding a permanent member to the UN Security Council
( ) Achieved balanced copyright reform
( ) Censuring Cowboy Neal
(X) Doing anything truly useful about climate change
( ) Eliminating Britney Spears

Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from jurisdiction to jurisdiction before a useful treaty can be negotiated.)
( ) Spammers can easily use it to harvest email addresses
( ) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
(X) It will stop spam for two weeks and then we'll be stuck with it
(X) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from spammers
(X) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business

Specifically, your plan fails to account for
( ) Laws expressly prohibiting it
(X) Lack of centrally controlling authority for email
(X) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
(X) Asshats
(X) Jurisdictional problems
(X) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
(X) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
(X) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
( ) Extreme profitability of spam
( ) Joe jobs and/or identity theft
(X) Technically illiterate politicians
(X) Extreme stupidity on the part of people who do business with spammers
(X) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
( ) Outlook

and the following philosophical objections may also apply:
(X) Ideas similar to yours are easy to come up with, yet none have ever been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
(X) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
(X) Countermeasures must work if phased in gradually
( ) Sending email should be free
(X) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
(X) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough

Furthermore, this is what I think about you:
( ) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your house down!
(X) uh, come to think of it, I have no particular opinion of you nor any desire to form one.

Re:Malware and ex-emailer (1)

antifoidulus (807088) | more than 6 years ago | (#21701308)

so you prove you're not just some maniac who wants to kill his wife's sisters.

But Homer Simpson DID get a gun, remember?

Re:Malware and ex-emailer (1)

Opportunist (166417) | more than 6 years ago | (#21703408)

Yeah, but he has problems with alcohol, was in a mental institution and beat up presid... former president Bush. So he was limited to 3 handguns or less.

See? The system works!

Re:Malware and ex-emailer (1)

readin (838620) | more than 6 years ago | (#21701332)

Perhaps having "the internet" so thoroughly locked down that you can't do anything with it would be a good thing. The whole "free" and "open" aspect has been a big problem in my opinion. If, from day one, the internet had not existed, proprietary networks like Prodigy would have taken off and done much better. With several proprietary networks competing, you can bet they would have been extremely motivated to develop technologies within the network to prevent spamming, DOS attacks, and other malware problems. Most obviously, a nominal charge on network use or email use (a half-penny per email?) would do a lot to stop spammers. And due to consumer demand, they would have done so in a way that didn't require you to put a lot of software on your machine. At some point an internet would have evolved anyway, as Prodigy users would demand to be able to send email to AOL users and vice versa, but it would have evolved from secure networks into a secure internet work. If we can find some way to kill "the Internet" perhaps there is hope that it can still happen. I really think the internet was a mistake from a security standpoint. I still remember 20 years ago getting a computer and thinking I could do banking through it. I contacted my bank to find out their modem number and THEY DIDN'T HAVE ONE! Instead of free or very cheap and secure computer banking, I would have to spend around 20 bucks a month to get on the internet and send my personal information and passwords out for everyone to see. If Al Gore really invented the internet that's yet another reason to not have voted for him.

Re:Malware and ex-emailer (1)

Opportunist (166417) | more than 6 years ago | (#21703450)

The problem is, which company would you hand the incredibly powerful opinion maker the internet is? Don't tell me "free market would have created competition" or similar BS. Free market is dead. Today is the time of the cartel. What makes you think that the internet would have gone any other was than the music or the media business?

Not to mention that with some company controling the net, they can invariably decide who may create what kind of content, who may provide what service and, in a way, who may compete with their own services, no matter how crappy they may be. Also, this company would of course be primarily concerned with making money. We would have never seen such traffic (and thus money) expensive things as YouTube or P2P.

Re:Malware and ex-emailer (1)

Mistshadow2k4 (748958) | more than 6 years ago | (#21702516)

Now, I wouldn't really want a "driving license" for computers, but I'd very much enjoy seeing people taking some more responsibility for their computers and what they do to others on the internet.

So would I! (Hope the following makes sense, as I'm high on cold medicine.) This would require some education. Unfortunately, from what I've seen, all they are teaching kids in school about computers is typing and how to search online; the teens I've talked to don't even know what Unix is. I don't mean to sound self-aggrandizing because I'm no expert -- especially in the area of networking -- but it's blatantly apparent that I'm more qualified to teach computer tech than our local high-school teachers. College is a different matter, but so few take anything related to computer technology in college that it doesn't really make a difference.

I think what would really do the trick is to set up computers to teach the person using it as they go along. There would still be problems, as it couldn't teach them everything all at once, but it would go a long way towards helping them with computer security as time passed; instead of the same insecure system they still have a year later because they haven't learned anything, they'd know enough to set it up better and get rid of the malware on their system. And that wouldn't have to be the only thing they learned either. The only problem would be those who already know this. If you make it as easy as "click this box to skip this stuff" or have an expert mode then everyone would do that and no one would learn anything. On the other hand, having to take a quiz to use your new computer sounds pretty obnoxious.

Re:Malware and ex-emailer (1)

Opportunist (166417) | more than 6 years ago | (#21703570)

This is entirely not true. They don't just tell the kids how to use a search engine.

They also tell them that filesharing is evil and bad and only criminals do it. So much for learning to share...

But I digress. I guess you're aware what such a "quiz" would look like if you leave it in the hands of the software manufacturers. We'd get quizzes that show off the new features of some product and how much better it is than anything there was or anything the competitors push out, with the mandated "push here to be secure" BS to do what some law might require.

I'm quite aware that it's unpopular to ask peole to be responsible for their actions (or lack of actions). But I think it's about time we accept that since we're "blessed" with free will, we should be held responsible for it, too. If someone is only able to hurt himself by being negligent, by all means let him be. I'm a fairly liberal person, the only limit to someone's freedom should be the freedom of everyone else. If someone wants to hang himself, I'll be the one helping him to find a suitable rope. It's his decision to do so, and it does primarily affect him (might affect others, but again, I digress).

We're facing a problem, though, where the carelessness of some people affects people around them. And, personally, I don't see why I should be forced to suffer from someone else's carelessness. Should I not be able to sue a car driver who ignored a red light and crashed into me? Because this is exactly the same thing.

Re:Malware and ex-emailer (1)

DaveWick79 (939388) | more than 6 years ago | (#21703958)

So if someone straps a bomb onto your car while it's sitting in a parking lot, you should be responsible for everything that happens to your car and everything else that is nearby when it blows. Because heck, you own the car and you were driving when it happened. After all, cars are inherently insecure and while we could choose to keep them snugly locked in our garages at home, we instead choose to use them in public places where other people could break into them, steal them, use them to do illegal things, and return it to the parking lot. Of course, if we had a car that required the driver to install his own parts, wire his ignition switch, and if he was really geekly, install a stereo that interfaced with the volume control buttons on the steering wheel, we'd all be more secure because noone would want to steal it.

Re:Malware and ex-emailer (1)

FLEB (312391) | more than 6 years ago | (#21704576)

Carbombing is an edge case. Think more along the lines of an improperly secured load (which is illegal in many jurisdictions) or forgoing maintenance until a catastrophic, preventable accident occurs.

Re:Malware and ex-emailer (1)

Opportunist (166417) | more than 6 years ago | (#21705812)

Funny enough, under our legislation here (and I wouldn't be surprised if that holds true in other countries, too), you'd be liable for that if the bomb is at any rate somehow noticable to you (like, you having a new extension to your trunk). Before you start your ride, you're required to check whether your car is safe for traffic. Now, while our legislator certainly meant that you should check your breaks and lights, I'm fairly sure it also applies to strap-on bombs.

I'm not even expecting anyone to study CS and have a doctorate before hooking up to the internet. What I expect is a little care and responsibility. We're not talking about the computer malware equivalent of some high tech terrorist being able to defeat a perfect car alarm system to slip a tiny nuclear bomb so deeply under your undercarriage that even an expert mechanic couldn't find it without dismantling the whole car. The malware encountered today would be the equivalent of you finding a huge ticking ... something on the passenger seat of your unlocked car, labeled BOMB, complete with that cute digital display telling you just how long 'til kaboom, and people still start their car and go into the middle of the morning traffic on the expressway because they just shrug their shoulders with an "oh heck, what bad could happen, I wanna drive and not care about something I don't wanna know about?" on their lips.

Re:Malware and ex-emailer (1)

DaveWick79 (939388) | more than 6 years ago | (#21709722)

I have to disagree with you completely on this. Continuing the paralell, most people don't know they've been infected until the bomb goes off, at which point it is too late.

Re:Malware and ex-emailer (1)

Opportunist (166417) | more than 6 years ago | (#21739404)

Oh, it's not like there are no clues that something's amiss with your PC in a good deal of the cases. Your friend suddenly complain about getting spam from you, your bank redirecting you to some offshore page for its links, strange new icons in your taskbar... of course, you'd have to know how to interpret those signs. But there is a bomb sitting next to you. If you decide to ignore it, of course you won't notice it 'til it goes kaboom.

Re:Malware and ex-emailer (4, Interesting)

houstonbofh (602064) | more than 6 years ago | (#21700050)

I still don't understand why ISPs are not doing more about this. SPAM uses a large amount of the precious and limited bandwidth, but they filter p2p? I get 10 to 20 spam an hour. As I have more than one e-mail client (one on laptop, one at home, one at work...) each one gets passed off the SIP mail server 3 times for me. It also passes in to the ISP mail server once, so 20-30 messages times 4, times 24 hours times each user ads up to how much bandwidth? And this is why I can't seed my Ubuntu images?

Re:Malware and ex-emailer (1)

sootman (158191) | more than 6 years ago | (#21705166)

Because, to be honest, that isn't very much bandwidth. Say you get one 25KB image spam per minute. That's 1.5 MB/hour. So unless you want to take 467 hours (over 19 days) to move one 700 MB .iso, there's your answer. If you want to add in all the bounces and forwards--hell, let's just be REALLY liberal with our numbers and multiply everything by ten. That's still almost 48 hours--two whole days--to move 700 MB. Considering that it should only be a couple HOURS to move 700 MB, we're talking about an order of magnatude difference.

All together, spam is a lot of bandwidth, but it's obviously not worth the economic burden of most ISPs to fight--if it were, they'd be doing it.

Re:Malware and ex-emailer (1)

Dark_Gravity (872049) | more than 6 years ago | (#21706556)

SPAM uses a large amount of the precious and limited bandwidth, but they filter p2p?

p2p? Pork to palate? ITYM spam; SPAM uses no bandwidth, only pork and ham (and a few other ingredients).

each one gets passed off the SIP mail server 3 times for me.

How's that VOIP to email gateway working for you? ;-)

I can't seed my Ubuntu images?

If your ISP won't let you seed Ubuntu images, you should probably be shopping for a new ISP.

they raise billion dollars from IPO (2, Funny)

minority (23819) | more than 6 years ago | (#21699540)

malware is great!
such as Alibaba.com, a chinese company, well known for the malware 3721, can even make IPO for more than 1.3 billon dollars.
that's why it is called "Historic IPO"

No shortage of idiots (2, Interesting)

hyades1 (1149581) | more than 6 years ago | (#21699554)

I don't get it. One of the most popular uses for a botnet, according to the article, is for spam mailings. But how can spammers afford to pay any significant amount of money for the service? I understand that they're mailing out to millions of people and count on a high level of rejection, but how many people are stupid enough to open something that says, "5PL1t H3R 1n HALF WYTH YORE HUGE ORGAN"? Let's face it, half the population is female, and probably not interested (unless they're buying for their boyfriend, and wouldn't THAT be a kick-ass Christmas present); a majority of the male half of the population are probably reasonably satisfied with their equipment; and even a vast majority of those poor, pathetic guys who actually have "AY tiney Pinnus That You GIrflrend Lauff at" probably have an IQ in at least the high double digits (I mean, they figured out how to turn on a computer and collect their e-mail, at least). So they probably wouldn't open that message either.

And then there's the spam filters, which are getting pretty good these days.

So that leaves what percentage of the population stupid enough to open one of these things and infect their computers with something vile? And if they're that stupid, how likely is it that they have a bank account worth looting? Or that they haven't been hit before so often they just sign their paycheque over to the spammers automatically and save everybody a lot of trouble?

Help. Somebody please explain it all to me.

Re:No shortage of idiots (0)

Anonymous Coward | more than 6 years ago | (#21699660)

But how can spammers afford to pay any significant amount of money for the service?

Well, either enough people do buy from spam ads to make it worthwhile, or vendors think that people will buy and are willing to pay spammers to try.

Alternatively, enough people get spyware from spam that the credit card fraud makes it worthwhile.

Help. Somebody please explain it all to me.

You said it yourself in the subject: "No shortage of idiots"

Re:No shortage of idiots (1)

Mr. Underbridge (666784) | more than 6 years ago | (#21699666)

I believe because it doesn't require that many bots to send a bajillion emails, and even if the response rate is 0.000001, they still make money.

Put it another way - since spam is the major driver of botnets, the price of botnet rental will drop such that it's profitable for the spammers to use them, or spammers will use something else.

The real money in spam? Selling to spammers (4, Interesting)

uptownguy (215934) | more than 6 years ago | (#21699736)

This has to do with SPAM and not botnets...

It's been said before, probably better than I can: The "mark" in the spam economy is NOT the person receiving the email. The "mark" is the person foolish enough to buy the Spam-in-a-box kit thinking they will be able to get a single person to buy their w0tches or v1agra. The money in spam is made not from the person foolish enough to buy the w0tches. The money is made in selling the service to spam millions of people.

Re:The real money in spam? Selling to spammers (0)

Anonymous Coward | more than 6 years ago | (#21700370)

And yet the amount of SPAM (and the rate at which it is sent) continues to increase. If it doesn't make them money, why would they be paying for the service? They must get SOMETHING out of it. They may be stupid, but I don't think they are stupid enough to throw their money away.

Re:The real money in spam? Selling to spammers (2, Insightful)

daveo0331 (469843) | more than 6 years ago | (#21703338)

It probably works like Amway. The vast majority of distributors never make enough money to pay for the starter kit/inventory/out of town seminars/etc and eventually quit. But, there's an endless supply of new suckers ready to try and be the next Amway millionaire, so Amway itself never dies.

Wrong (1)

Besna (1175279) | more than 6 years ago | (#21700580)

Business in general tend to be rational. If the profit is not there, the product will not be used.

Re:The real money in spam? Selling to spammers (1)

sootman (158191) | more than 6 years ago | (#21700900)

I have to disagree. If that were the case, eventually every would-be spammer would buy $1,000 worth of spams, get $500 in sales, and quit. My inbox begs to differ. Now, there certainly is a very, very large population of assholes who will someday be spammers and plenty of them will be too dumb to give up, but if none of them made meney, the problem would go away. Selling spam services to spammers might be easier money but the spammers are turning a profit. Remember, a 0.001 percent response rate on ten million messages == profit.

And since stolen computers and stolen bandwidth cost the supplier very little, IF the number of spammers drops, the spam-suppliers will just make more enticing offerings: "The last round of 50 million messages didn't work? I've got a special this month: 500 million for the same price." The net result on your inbox will be the same.
 

Re:The real money in spam? Selling to spammers (1, Interesting)

Anonymous Coward | more than 6 years ago | (#21701238)

And since stolen computers and stolen bandwidth cost the supplier very little, IF the number of spammers drops, the spam-suppliers will just make more enticing offerings: "The last round of 50 million messages didn't work? I've got a special this month: 500 million for the same price." The net result on your inbox will be the same.

I think your second paragraph proved the grandparent's point.

Re:The real money in spam? Selling to spammers (1, Insightful)

Anonymous Coward | more than 6 years ago | (#21703468)

The money is made in selling the service to spam millions of people.

You are right! And I have to ask, once again, why, oh why aren't they going after the asshats who make lotsa money from this shit! The trail is there; every spam has to have a point of contact in order to benefit from it. Why aren't they cracking down on the very people who make money from spam? Who the hell else would be responsible for it?

I can hear it now; "No, I didn't send all that spam out. Someone else must have done this to gift me with $millions of e-commerce!" Bullshit!

Re:No shortage of idiots (2, Insightful)

Colin Smith (2679) | more than 6 years ago | (#21699780)

Help. Somebody please explain it all to me.
It's just arithmetic. Lets say...

A bottle of V|4GR4 costs me £1.99 and sells for £9.99
It takes 2 seconds to mail a spam mail.
My broadband costs £14.99 per month.

I basically need to make 3 sales per month to make a profit.

There are 2592000 seconds in a month, it takes 2s to send each mail, that's 1.3 million spam mails.

Only 0.0002% of the population mailed to need buy a bottle of V|4GR4 to make a profit.

50% of the population have an IQ of 100 or lower. Basically I'm on to a winner.

Re:No shortage of idiots (3, Funny)

mezron (132274) | more than 6 years ago | (#21699788)

Well, if you think about it... how did all those machines become part of the botnet to begin with?

Re:No shortage of idiots (1)

camusflage (65105) | more than 6 years ago | (#21699954)

Help. Somebody please explain it all to me.

Simple. Most of those spam mailings for pharmaceuticals are simply affiliates of shady sites, earning a percentage of the take by people they "refer". If you make 10% of an average order of $150, that's $15 per customer. If you can send 50MM messages and convert .001% (we'll say you can sucker one in 100,000 people), you're still making $7,500. If you only paid $2,500 to send those 50MM messages, you're still $5,000 ahead of the game.

Simply put, unless and until people stop buying shit through spam, it will continue to be profitable so long as it costs less to send an email than it does to convert a customer. Given the infinitesimal cost of sending an email, it doesn't take many responses to continue being profitable. Even in my scenario above, even if you can only sucker three in one million people into buying, you're not losing money.

Make the email costly (1)

El_Oscuro (1022477) | more than 6 years ago | (#21704194)

One thing that all spam messages must have, by definition: A website to sell their V14gra on. If you set up a botnet with 10,000 computers on it, you have the capacity to send 10 million messages a day for almost nothing. At the rate of .001%, that would be 100 orders a day.

Since 95% of all spam is blocked by filters, we have a way of making spam a lot more expensive. Simply set the filters to respond to the website on the blocked spam with opt-out messages. All of a sudden, the spammers website is slashdotted by opt-out messages from all of their blocked email. Imagine 100 orders and 9,499,900 opt-out requests a day. Kind-of changes the economic equation of spamming a bit.

Re:No shortage of idiots (1)

phantomcircuit (938963) | more than 6 years ago | (#21699990)

I understand that they're mailing out to millions of people and count on a high level of rejection, but how many people are stupid enough to open something that says, "5PL1t H3R 1n HALF WYTH YORE HUGE ORGAN"?
According to this [news.com] CNet article from 2004 the volume of email in North America alone was 31 Billion messages each day, approximately 90% of email is spam.

So that is 27.9 Billion spam messages a day (in 2004). Let's be forgiving and say that only 5% of spam gets through filtering. That is 1.395 Billion spam messages a day get through to the inbox. If only 1 in 100,000 people responded that would still be over 10,000 responses daily. And these are the numbers from 2004.

So that leaves what percentage of the population stupid enough to open one of these things and infect their computers with something vile?
Um the vast majority of people who use computers have absolutely no clue how they work nor do they care.

And if they're that stupid, how likely is it that they have a bank account worth looting?
Most spammers are looking to sell real items, drugs and knock off watches seem popular recently.

Re:No shortage of idiots (1)

Stan92057 (737634) | more than 6 years ago | (#21699998)

Is a person stupid because they buy meds online through spam at better then 1/2 it costs getting it at the drug store? I personally would never buy meds online from spam or anything else. But what about the millions of people that don't have a good health care plan or very low income. It seams to me a good financial decision to buy drugs oline from spammers if you are low income or no health care at all don't ya think?

Re:No shortage of idiots (1)

morethanapapercert (749527) | more than 6 years ago | (#21701320)

I see your point; but that leaves the buyer in the uneasy position of doing business with a complete stranger, often from a foreign country, who has proven himself to be sleazy enough to spam and yet being forced to trust that he is honest enough to actually send him what he thought he was ordering. I've read or watched many news articles where a shipment of counterfeit pharmaceuticals was intercepted by authorities and found to be watered down versions of the actual drug, a cocktail of other drugs whose effects might be confused with the actions of the real drug by a hapless user or a totally worthless placebo of some kind. I vaguely recall seeing at least one news article about seized alleged stimulants and steroids that upon analysis contained outright poisons (arsenic IIRC) and a sizable percentage of "unidentified materials". I also happen to know that there are many drugs that require special handling in order to be effective. (It seems like most of the prescriptions my kids get require refrigeration) It seems to me that buying drugs on the Internet, based on a spam ad, is about as wise as buying white powder packets or tan crystalline rocks from some shifty eyed corner pusher. Your life is only safe as long as the profit from repeat business is higher then the profit the pusher will see if he steps on his product with whatever he has laying around. I don't imagine the average spam vendor really relies on repeat business all that much do you? I will readily concede that some folks are poor enough or medically desperate enough to need black or gray market drugs, (e.g.,taxol for cancer, AZT for AIDS) but that doesn't fit the kind of drugs I have been seeing advertised. I don't think there are many people for whom taking Viagra, anabolic steroids, diet pills or rohypnol is a life or death issue.

Re:No shortage of idiots (1)

Stan92057 (737634) | more than 6 years ago | (#21702432)

I agree with everything you say,any choice dealing with spam is a bad one.I thought i would look at it from a different perspective,that said i personally think going after spammers is a waste of time really. I mean Ive been on the internet for only 13 years, spamming has gotten much worse even with better spam blocking tech. I think its really time to start going after who is hiring these spammers.Not an easy thing to do, but it may be easier then trying to find the spammers A spammer doesn't have a job if he doesn't have clients selling there wares.

Re:No shortage of idiots (1)

Grampaw Willie (631616) | more than 6 years ago | (#21700898)

So that leaves what percentage of the population stupid enough to open one of these things and infect their computers with something vile?

it isn't just "stupid" people

recently one hacker incorporated his codes into some advertising and then paid an ad agency to publish the stuff. and you could pick up his maleware by checking scores on MLB

FTC just shut down an online money processor for failure to exercise due diligence

we've had enough of this crap. it is time to take action from several directions, technical, legal. technical improvements to provide for DETECTION and legal improvements ro provide for RESPONSE. Civil liability for harm caused by maleware.

an ordinary customer should be able to buy a computer and surf on the net without getting the thing all plugged up with adware. think about this. if I plunk down good cash for a computer I should receive the value that I paid for. if my computer gets plugged up with maleware then I have not received what I expected for my money: the product has failed just like a set of tires that went 500 miles and then blew out flat. and from that I have a cause of action and deserve compensation, in addition to which the reputation for the product I bought will depreciate to GARBAGE although at this time I don't see any way Ms Windows reputation could depreciate any further although people keep buying it. duh, maybe they are stupid

no one owns rights to update my computer with software or with data. this is already established. when FAX came out the law was changed to prohibit unauthorized use of FAX machines for advertising, harassment or any reason

and there ain't no difference in a cell phone or a computer. it ain't yours: leave it alone.

Change is commin and bringin' hell with it

Re:No shortage of idiots (1)

TyIzaeL (1203354) | more than 6 years ago | (#21702198)

When you get a computer plugged up with "maleware" it is your fault. No one elses. Is it the dealer's fault if you drive around in your car with the emergency brake on all the time?

Al malware-infested PC can be fixed, a large part of the problem is that users have no that there is a level of separation between hardware (the computer) and the software (the rooted OS). I know people who have thrown out decent computers just because they've got malware slowing it down and are too stupid to actually find a remedy for the problem.

Slaves, too (0, Offtopic)

Lepton68 (116619) | more than 6 years ago | (#21699644)

Not only will we love robots, they will be our slaves, too. Usable, abusable, ownable, perfectly legal. And no, the robots won't rise up and take over (for at least a few hundred years) even though they will be much, much smarter than us, because they will be made to appear to like their roles, be loyal, and understand that they are expendable and disposable, and they will legally remain property to do with as we will. Though they will be human-like, they will be easily and visibly distinguishable from humans by some indelible, obvious markings, such as bluish skin. Even so, there will be incidents, crimes and regrettable accidents, where humans will be mistaken for robots and abused or killed. This is not a fiction I'm spinning, but a prediction.

Re:Slaves, too (-1, Troll)

Anonymous Coward | more than 6 years ago | (#21700534)

Call me old fashioned, but I think I would still prefer niggers over robots. Obviously niggers are not smarter than us, but you do still have the very real possibility of an uprising. You've just got to crack that whip harder to keep them in line. The one thing that niggers can offer over robots is suffering. Sure, you can program robots to "suffer", but it's just not the same. Also, there is no substitute for human pussy (nigger qualifies as human (barely)). And when you get tired of a nigger you can just throw it away and get a new one, whereas robots are a costly investment. All in all, I think niggers are still a better investment than robots. Perhaps future improvements in technology will bridge the gap, but I wouldn't bet on it.

unacceptable language (1)

Grampaw Willie (631616) | more than 6 years ago | (#21701074)

your post contains unacceptable language

Utility Computing (3, Interesting)

Crispin Cowan (20238) | more than 6 years ago | (#21699912)

No kidding :-) I said in a public forum about 4 years ago that botnets are the first and only successful example of commercial utility computing [wikipedia.org] , where a vendor tries to rent out time on large compute clusters.

This works much better for botnet vendors than for Amazon EC2 or HP Utility Data Center, because the really valuable resource the botnets are renting is a routable IP address that hasn't been shut down yet. Computers are nearly free, but IP addresses that work are not.

Re:Utility Computing (1)

Lehk228 (705449) | more than 6 years ago | (#21704006)

not just IP's that work, IPs that do not share an obvious relation to one another.

Malware is closed-source (3, Funny)

JerryLove (1158461) | more than 6 years ago | (#21700450)

There's copyright protection on an product designed for illegal use? Isn't that like complaining that someone stole your cocaine?

Re:Malware is closed-source (1)

Vegeta99 (219501) | more than 6 years ago | (#21703118)

Some girl actually did that on Cops!

Mature IT industry, eh? (1)

jpfed (1095443) | more than 6 years ago | (#21700552)

Hopefully this means the malware industry will begin hemorrhaging money by hiring consultants.

Here's the actual paper. (4, Interesting)

Animats (122034) | more than 6 years ago | (#21700674)

Here's the actual paper from which came most of the material in the article: "The Commercial Malware Industry" [auckland.ac.nz] , from the University of Auckland. More technical details.

New threats of interest:

  • Some viruses now use error correcting codes so that attempts to patch them out will be repaired.
  • Windows Genuine Advantage blackmail trojan. Pops up message requesting payment of money or will disable your computer. (p.39)
  • Location-aware malware - used to find location for credit card number, so phony transactions can be generated from a physically nearby node. (p. 41)
  • "The most popular brands of antivirus software have an 80% miss rate" - AusCERT (p. 46)
  • Malware that detects and removes anti-virus and anti-rootkit tools is available. Once one of these is loaded, it runs before anti-virus software, even in Safe Mode. (p. 48)
  • "eGold Siphoner" detects valid sessions connecting to eGold.com and transfers funds by hijacking the authenticated session. (p. 52)

Kind of like open source copy protection? (1)

argent (18001) | more than 6 years ago | (#21700834)

The design of stealth software like the "packer" is the same as copy-protection and "DRM" media encryption software, they both depend on obfuscation to hide the payload from an attacker while giving him both the key and the cyphertext. If you open-source it, you're telling the attacker (the antivirus researcher, or the deCSS author) where the key or the malware is hiding.

I'm sure all the AV guys have already grabbed a copy of that packer and are totally on top of it.

Some day may all spammers.... (1)

rodney dill (631059) | more than 6 years ago | (#21701448)

...wake up with a Trojan horse head in their bed.

Woo!?! (1)

footissimo (869107) | more than 6 years ago | (#21702178)

"They opened the source code.."

Another win for FOSS!

language hacking (1)

SaberTaylor (150915) | more than 6 years ago | (#21707326)

This might sound like rubbish at first.

I'd rather you use the big old evil word, "evolution," rather than Darwinist or Darwinian.

Reason: conservative moonbats attack science by making it personal. For example, Rush Limbaugh attacks global climate change by saying that Al Gore is everywhere and listening to Al Gore makes him want to put a gun in his mouth (I am not making this up, we live in La La Land.)

Another reason is that the recent spate of articles catching on to calorie restriction as a method of life extension avoid the word "evolution" when discussing the reason that it works. The reason that fasting prolongs life is that evolution changes the aging governor in people who are experiencing famine to save them for reproduction later. No one, not Slate or NYT or Scientific American includes the word "evolution" when talking about this effect.

So let's drop the personification of theories. After all, evolution is a lot more than Darwin knew about, the theory has tremendous explanatory value and shouldn't be pegged to centuries ago.

JBS Haldane, 1940:

1. Events occur which are not perceived by any mind.
2. There were unperceived events before there were any minds.
And I also believe, though this is not a necessary logical deduction from the former two, that:
3. When a man has died he is dead.

Hit them in the pocket (1)

sjames (1099) | more than 6 years ago | (#21709946)

So far, the one legislative action that has done anything significant to spam was the law barring credit cards from processing payments to online casinos. It's not that much of a leap to similarly ban any payments to v1gra pushers as well as the many 'canadian pharmacies'. After all, the product is either quackery or an illegal sale of a prescription drug, so the enterprise is illegal even without spamming. Even a fair percentage of the id10ts that fall for the spam will balk at sending cash through the mail.

If the law also called for reversal of existing transactions to a merchant found to be pushing illegal pharmaceuticals or quack remedies (after all, unlike the herbal suppliment industry, the spams DO promise effectiveness for a particular condition) then the whole 'enterprise' becomes significantly riskier.

Likewise, pump and dump is illegal already and carries significnt penelties. In addition to clogging inboxes and defrauding naieve investors, they also do great economic harm to the penny stock companies that are targeted since their stock tends to end up worse off after the dump than before the pump. If the SEC actually pursued and prosecuted these fraudsters, they would stop.

That takes care of most of the spam. If we use "for the children" for good rather than evil for a change, we can also get rid of the sex toy and porn spam. Considering that spam is splattered everywhere, including wild guesses at potentially valid addresses, they are certainly not taking care to avoid soliciting children. why is it that the same prosecutors and detectives who would relentlessly pursue any XXX store owner who ever failed to throw a minor out of the store won't pursue spammers who actively invite children to buy their products and even preview for free?

Finally, the botnets themselves are built by committing felony tampering on a massive scale. Why is it that some kid hacks his way into one computer gets the book thrown at him, but a real criminal who hacks into MILLIONS of computers isn't pursued because "it's too hard"? Surely, anyone who commits millions of felonies is worth orders of magnitude more effort than some kid with a war dialer!

The FBI DID recently catch up with a few botnet operators. That's a good start, they should keep it up. The SEC and FDA should join them.

The repl|cas are about the only thing that might slip through the cracks, but even those may be violations of trademark law depending on how closely thay resemble the real thing. If they don't bear close resemblance, then they are mail fraud.

The short summary, the bulk of spam is connected with criminal enterprises. The process of zombifying a PC is a felony. There is no need to add new laws, just enforce the existing ones for a change. There is significant legwork involved, but on the other hand, if law enforcement just spends $30 or so a month on an ISP account, the spammers will effectively report their own crimes.

Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...