Paul Vixie On DNS Changer: We're Dealing With Malware the Wrong Way 163
AlistairCharlton writes with this snippet: "Victims of the DNS Changer malware think they have better things to do than check their internet security, and as a digital society we're dealing with malware in completely the wrong way. These are the thoughts of Paul Vixie who worked with the FBI in intercepting servers used by a gang of Estonian hackers who made millions of dollars from redirecting internet users away from the websites they requested, directing them to advertisements instead." The linked article also offers an interesting description of how the FBI's quiet takeover of a botnet came to be.
The FBI shouldn't have set up the alternate server (Score:3, Insightful)
... the victims would have noticed that their internet was cut off, and had to take steps to fix the problem then and there.
But presumably somebody at the FBI realised that they could collect all that lovely data on where everybody was going on the internet, and all without the need for a single warrant
Time to take the tinfoil hat off... (Score:5, Insightful)
But presumably somebody at the FBI realised that they could collect all that lovely data on where everybody was going on the internet, and all without the need for a single warrant
Care to show a source, even a single one, for that? The FBI handled this right, asking ISC to install and run the DNS servers. I really doubt the ISC would play ball with any extra-legal requests for data.
Amazing how much pure paranoia is modded up around here
Re:Time to take the tinfoil hat off... (Score:5, Insightful)
How is this handling it right?
Dropping the requests on the floor and teaching these folks a valuable lesson would have been handling it right.
Re: (Score:3)
How is this handling it right?
Dropping the requests on the floor and teaching these folks a valuable lesson would have been handling it right.
We can debate whether just dropping the servers should have happened or not. Personally I think that was correct, as just dropping internet connectivity for a large group of infected people (most of whom wouldn't have a clue about what's going on and how to fix it) would have been far more disruptive than the campaign that attempted to notify people they had a problem and how to fix it (with clickable links that worked while they were on the computer.)
That said, my original comment about them "handling it
Re: (Score:2)
Oh christ. Are you that lacking in imagination you can't think of any way that possibly, some techies could spread this out a bit?
How about, ISPs can run their own campaigns and then voluntarily ask to have their blocks shut off on their schedule?
Or, the DNS server admins do it on a schedule using simple hash codes. "Hey, ISP, if your IP address block octets add up to X hash, we are blocking it on Monday. If it's Y, it will be next week.
ISPs themselves could block traffic to these servers slowly to
Re:Time to take the tinfoil hat off... (Score:5, Informative)
Exactly. We know we never have to worry about a private corporation using personal data for profit, right? And no company would ever play ball with the feds in return for a juicy government contract. And its a good things they have a good reputation. I mean, someday companies might even have to start hiring PR people and the like to try to hide the evil things they do behind a good reputation.
Who said anything about a private corporation. Do you know what ISC [isc.org] IS?
They are a non-profit organization whose sole purpose is to support the infrastructure of the Internet. They build open-source software (like BIND and implementations of DHCP). Sorry, but you really should research before you spout off.
Re:Time to take the tinfoil hat off... (Score:4, Informative)
They are a non-profit organization whose sole purpose is to support the infrastructure of the Internet. They build open-source software (like BIND and implementations of DHCP). Sorry, but you really should research before you spout off.
Not to mention running the F root name server [isc.org]. They really know DNS.
Off the top of my head, I can think of only a few organizations in the world who have the know-how and ability to run a large-scale DNS system properly. ISC is at the top of that list. IMHO, the FBI chose wisely.
Re: (Score:3)
They're also a huge part of the problem in dealing with the DNS system's shortcomings.
IPv6 DNS lookups are a fiasco, so is DNSSEC, and for that matter, so is BIND.
We really need a research group a little more separated from Vixie working on a much better replacement for modern DNS.
Re: (Score:2)
Exactly. We know we never have to worry about a private corporation using personal data for profit, right?
So what DNS server(s) do you use? Probably (like most people) those of your ISP.
Re: (Score:3, Insightful)
Re: (Score:2)
I am not so sure. Perhaps instead of sending them to the ad sites, send them to a site that tells them they are infected and that they will get progressively slower responses until they fix things. Then progressively slow their requests down making things more an more painful?
IOW. make it worth their while to care? Someone is, after all, having to spend extra money to keep them working.
Or did I misunderstand something here?
all the best,
drew
Re: (Score:2)
Apart from making the requests slower, I agree with your suggestion. Allowing an infected computer to proceed without incident isn't something the FBI should've done. Getting those systems fixed ASAP--by letting the user know they were infected and how to remove it--should've been the priority.
Re: (Score:3)
Dropping the requests on the floor and teaching these folks a valuable lesson would have been handling it right.
Suppose a cop sees someone walking down the street checking doors to see who's left their houses unlocked. Should he let an obvious burglar continue in his work to "teach folks a lesson" about locking their doors?
Re: (Score:2)
It's not an unlocked door, it's more like a contagious disease. Whoever leaves the door open, is only damaging itself. Those infected are often letting their computers send spam, spread malware or participate in DDOS attacks. Sometimes the computers in question host fishing sites or even CP, therefore actively harming others. A contagious person should be kept away from the public, a contagious and unprotected computer should be kept away from the Internet.
Re: (Score:2)
Re: (Score:2)
No, that would be more like what the FBI did. They allowed infected machines to continue to be useful.
Dropping the requests would be more like arresting and removing the person messing with doors.
Re: (Score:2)
They allowed infected machines to continue to be useful.
Did they? I was under the impression that they shut down the C&C servers that the malware was pointing the infected computers to. That was how they were able to (eventually) shut them all off. If the FBI, through ICS, controlled the DNS server the malware was pointing to, how does the malware continue to be useful to it's creator?
Re: (Score:2)
It does not, but these machines were still infected with this and likely other malware. You think these machines only had one infection?
Re: (Score:2)
No you should STOP the burglar and place crime scene tape down, just as they would have done by removing the DNS servers (as evidence) and leaving nothing in their place.
Re: (Score:2)
No, forcing ALL lookups to resolve to a server that gives cleaning instructions and tools would have been better.
Re: (Score:3)
No redirecting users to a page they were not expecting to see and then encouraging them to run software or blindly make system modifications they don't understand is a terrible idea.
The right thing to would have been to have a simple message telling them their system is compromised (show a nice FBI logo) and direct them to contact their ISP or a local computer support firm.
Re: (Score:2)
...just make sure you don't say the computer itself was compromised, as for many people, the computers on the network are all fine now, but their router has been redirected. I've had to help out a number of people who got nastygrams from their ISP saying their Windows PC was infected with the Alureon virus... people who tossed their Windows PC shortly after it got infected with said virus and switched to a Mac. The trick is that while infected, their PC used the default credentials for their routers to re
Re: (Score:3)
How is this handling it right?
Dropping the requests on the floor and teaching these folks a valuable lesson would have been handling it right.
Hopefully you don't actually work in IT... If you do, I'm sure it won't last with an attitude like that. Dropping requests, and disconnecting users with no warning is almost never a good idea.
Re: (Score:2)
I do work in IT, I have been doing it a long time, and it is often the right approach.
When I got into my current job it was a total undocumented mess, step one was to document who was using what machines, since none of the users had any idea we unplugged the network connections from one machine at a time and waited for the complaints to roll in. In less than a week were were able to find out that more than half of the machines were not used by anyone, and were not at the time running any needed service. We
Re: (Score:2)
What you propose turns out to be, in practice, a pipe dream. If you don't know anything about cars, you're getting ripped off by car mechanics and dealerships every time you visit them. And I do mean ripped off; I'd think an average car-driving american can easily waste $20k over their life that way. If you know nothing about basics of home construction, you'll be lucky if you end up on Holmes on Homes [hgtv.com] and get a $100k gift to fix the mess you got yourself in -- if $100k is enough, that is. I've seen myself
Re: (Score:2)
What you propose turns out to be, in practice, a pipe dream. If you don't know anything about cars, you're getting ripped off by car mechanics and dealerships every time you visit them. And I do mean ripped off; I'd think an average car-driving american can easily waste $20k over their life that way. If you know nothing about basics of home construction, you'll be lucky if you end up on Holmes on Homes [hgtv.com] and get a $100k gift to fix the mess you got yourself in -- if $100k is enough, that is. I've seen myself houses on the market listed for $100-$150k where it'd be cheaper to rebuild than to fix. If you don't ask questions, have no company at the hospital and know nothing about medicine, you're at elevated risk of various medical mistakes (sorry, I don't have a link handy, but that's my personal experience). If you don't know anything about science and can't visualize meaning of numbers, you'll be easily fooled by politicians, marketers and bankers alike. Knowing your orders of magnitude and being able to do mental math to visualize things is way more important than knowing about Shakespeare, unless you've got a wealthy uncle sponsoring you, that is. Not that I have anything against learning of Shakespeare's work, mind that.
There is a minimum amount of general education that one needs to succeed in today's society -- and no, that doesn't mean knowing literature or whatever else classically passes for general education. You need to know basics of various "technical" disciplines that directly affect you in your life. To me, that's what contemporary civics should mean. It should be the role of grade schools (up to grade 12) to teach kids the basics of what makes the world tick, so to speak. Unfortunately, that's not what's done, and the adults in charge are none the wiser...
Most of what passes for civics these days is entirely useless trivia: stuff that you can't base any decisions on. It's as useful as entertainment is: good for you if that's what you like to know/do, but not helpful otherwise. I'd even go as far as claiming that, say, learning the names of all U.S. presidents or the roots of the U.S. government is an abominable waste of time -- again, if you're forced to do it at school. It's knowledge with absolutely no application to everyday life. Some people may find such trivia entertaining or interesting, but then it's their choice how to apportion their free time, and I sure as heck can't tell them not to learn it. But if they choose memorizing the presidents over knowing what malware is and how to protect oneself: it's them who lose, not myself. Let's face it: computers and automobiles are everyday tools that livelihoods depend on, especially in the U.S.
What you are talking about happens in just about every industry. Nobody can be an expert at everything. When Joe the non computer geek goes out and buys a pc, guess what? He pays more for less than he would if he were an expert. Joe's idea of computer security is probably one of those cables you glue to the case and then glue to the desk. Computer security is in a sad state because as it sits today, it requires some significant technical skills and usually has a significant impact on performance and ope
Re: (Score:2)
Dropping the requests on the floor and teaching these folks a valuable lesson would have been handling it right.
No it wouldn't.. Redirecting EVERY SINGE request back to a web server that says "your computer is possibly infected with malware, and after $DATE will stop working, please click HERE to read how to fix it, or who to contact, or click HERE to proceed on to the page you requested.
That would have annoyed them, educated them, and given them a still working connection. Just stopping all resolving is an ugly thing to have to fix.. especially since its not like they just go look at their IP config, and see the w
Re: (Score:2)
No it wouldn't.. Redirecting EVERY SINGE request back to a web server that says "your computer is possibly infected with malware, and after $DATE will stop working, please click HERE to read how to fix it, or who to contact, or click HERE to proceed on to the page you requested.
Your presumption that a DNS server can know whether a request was made for a web server or not is incorrect. The WKS record was never used properly, and was abandoned over a decade ago.
Pointing a user's requests for the IP address of pop3.provider.net or ntp.microsoft.com to a web server will only cause outages, delays and error messages the user won't be able to understand.
Also, two wrongs doesn't make a right.
Re: (Score:2)
How about resolving all requests to the IP of a web server with a single page explaining the issue to them?
Re: (Score:2)
Aah. Every story i've read (and I haven't paid that much attention to this beyond making sure I wasn't infected), has oversimplified it to "The FBI took over the running of the DNS servers".
I stand corrected on that point, my apologies.
I entirely stand by the "they should just have let the infectees internet access die so they're forced to fix their problems and learn about the importance of security" part of my comment though :)
Re: (Score:2)
Clearly, no ISP in the history of the world has ever had a technical support phone number.
Re: (Score:2)
Yes I am sure every ISP wants their help lines flooded with thousands of calls every hour they couldn't possibly answer. Of course none of their customers will mind the extra $100 surcharge for having to hire all the extra phone support folks due to handling the incident the way you suggest. Sounds like a brilliant solution.
Re: (Score:2)
You know, just for once, the people that are too stupid to run computers without getting infected should pay the pain on this. This "fix" only "fixes" it for a few people who would be inconvenienced on the immediate time frame.
If the pain really got to the people that got infected, they might do things differently, like, not get infected or learn a little teensy bit about using a computer, or maybe vote for politicians that actually tell the cops and their analogs to go find, and prosecute the malware pur
Re: (Score:2)
Re: (Score:2, Insightful)
I seriously doubt the FBI needs to run DNS servers to get your private data without a warrant. The US government, evil or not, does have an interest in keeping its people's computers safe from non-US gvmt surveillance.
Remember, the NSA has two goals: getting into your data and keeping its enemies out. Don't forget #2.
Re: (Score:2)
FBI spying paranoia concerned, that's just plain wrong. FBI did nearly the worst thing they could do: they masked the problem from the users.
If they had allowed the DNS lookups to fail, the problem would have been over in a few days, and dns changer would have been a complete non-story and nearly forgotten a week after the fraudulent servers were taken down.
Instead, they got involved for no good reason that anyone has explained, somebody spent extra money dealing with it, and th
Re: (Score:2)
But presumably somebody at the FBI realised that they could collect all that lovely data on where everybody was going on the internet, and all without the need for a single warrant
Care to show a source, even a single one, for that? The FBI handled this right, asking ISC to install and run the DNS servers. I really doubt the ISC would play ball with any extra-legal requests for data.
Amazing how much pure paranoia is modded up around here
Go look at msnbc or fox news or pick your news source - it's no secret. In the USA, the most reasonable thing to do is to assume the government is up to no good lately. It's been that way for about 11 years now. Maybe you are not American so you weren't aware what has been going on? I assume I don't have to post a link to lmgtfy.com, right?
Re: (Score:2)
Should they also trust the popup that says "Your computer is infected, click >here< for a free virus scan!"?
How can they tell the difference. One appeared when they didn't expect it, and the other appeared when they didn't expected.
Oh - I know - the *real* one should finish "Honest, you can trust us. Signed, Teh FBI".
Re: (Score:2)
This is the proper approach in my opinion too.
Re:The FBI shouldn't have set up the alternate ser (Score:5, Funny)
Or better - all requests to lemonparty.org.
NOT work safe, in case you were wondering. That was awkward.
Re: (Score:3)
Oh hey, it's the last person on Earth who hasn't been exposed to a shock site. And he's on Slashdot. This will end well.
Definitely the wrong way (Score:5, Insightful)
Re: (Score:2)
If it's malware that could spread and infect other PCs, then the government may need to intervene above and beyond simply notifying people. It's not too different than doing something "for the public health". I'm usually all for the government being hands-off, but if they can help stop malware from spreading to my machines (or worse yet, my mother's) and it doesn't cost me too much more as a taxpayer, then I'm all for them. However, I'd rather see them take the Obamacare approach here and "tax" people who c
Re: (Score:2)
Re: (Score:3, Interesting)
It's like if someone left their car unlocked, and did not have car insurance, and they had their car stolen. Then the FBI had to drive them to and from work in a police car for 6 months.
Re: (Score:2)
Because you are human, and you care about other humans. Otherwise you are a narcissist and on the fast track to corporate success.
Re: (Score:2)
No, because it's the old conservative government's task to punish malefactors.
--dave
Re: (Score:2)
Re: (Score:2)
Foul! Unnecessary verbal roughness with the phrase "Pee Tardier"
Automatic touchdown for opposing team.
Re: (Score:2)
Thank you Mr. AC. That needed said.
Cornficker (Score:5, Funny)
"Taking the Cornficker virus as another recent example of computer malware, Vixie predicts an uncertain future where computer users don't understand or simply don't care about the risks involved."
Cornficker is related to the Conficker malware, but prefers to fick it's victims with vegetables instead. Many vicitms did not mind.
Re: (Score:2)
iPhones work.
Whereas, Blackberries do not.
Summary: Area Man Has Gut Feelings (Score:5, Insightful)
From TFA:
Summing up, Vixie says: "These victims seem to feel that [they] have more important things to worry about. My gut feeling is that they're wrong, but I can't seem to prove it. My other gut feeling about all this is that we, as a digital society, are doing this all wrong."
My gut feeling is that International Business Times didn't really have a useful article but needed some more ad space, so they wrote this thing.
For the few of you considering actually reading the article: There is nothing new to see there. Move along.
Re: (Score:3)
My other gut feeling about all this is that we, as a digital society, are doing this all wrong.
...which I read as: There's a big problem. I have no solutions, but dammit, this is a problem.
Re: (Score:2)
A pity that the article does not give any indication of how he it could be better done. A gut feeling that 'we are doing this all wrong' is not much (practical) use without some idea of how we should be doing it.
Re: (Score:2)
That's because there are none that are satisfactory.
First, we have to accept the fact that computers and the internet are a necessity to participate in a modern economy. Especially in developed nations - where it's extremely difficult to do anything without the Internet, including stuff like apply f
Re: (Score:2)
We do, though, expect people who drive to know the basics about cars. If for instance you insist on driving on bald tires, when they inevitably blow out on the freeway we don't provide free towing and free replacement tires. And if the blow-out caused you to hit another car, the
Re: (Score:2)
The correct way IS to be disruptive. Be as disruptive as possible. Evolve or perish is the whole of the law. Complacency allows the least-fit to survive as "captains of industry". And we found out with the Titanic what happens when an unfit captain is left in charge. Why repeat the experience?
Re: (Score:2)
I would add that the title of this Slashdot article bears no reference to the crummy International Business Times article. At no point in TFA is anyone quoted as saying "we're dealing with malware the wrong way." That's just a Slashdot editor passing off his own conclusions as those of the article.
Go read the last paragraph (and the title) of the IBT article, again.
Best of All Possible Worlds (Score:2)
This solution is not perfect, but it is the only one yet devised that doesn't require allowing some third party to either access arbitrary computers and the data on them at will without the user's knowledge or consent, a warrant, or even suspicion of wrongdoing, or to assume complete control over what can and cannot be installed on a computer.
Neither of these is acceptable. The ends don't justify the means.
Re: (Score:2)
There seems to be one solution you over looked, just turn off those DNS servers and let the users figure it out themselves. I am sure the loss of name resolution would have been noticed.
Another approach would be to make any requested url return a page that showed only a simple declaration that your machine is infected get it fixed.
Re: (Score:2)
What the article seems to call for is a system that does not expect anything from regular users.
The people who reject the FBI's approach would also reject the one you propose, because ultimately it still expects something of users (namely, to notice something is going on and to take steps to fix it). Yes, it's a trivial expectation, but the core assumption behind the article is that expectations are bad.
the lies we tell ourselves and each other (Score:5, Insightful)
"I'll renew my antivirus licence next day pay"
"The cheque is in the post"
"I'll pull out in time"
All are the many lies people tell themselves and each other.
Basically as humans we tend to only do things which will have an immediate impact, and are capable of doublethink over things which might not happen or can be deferred.
Re:the lies we tell ourselves and each other (Score:5, Funny)
"The cheque is in the post" "I'll pull out in time" .
Hey, is that you Dad?
Re: (Score:2, Flamebait)
"I'll pull out in time" .
Hey, is that you Dad?
Holy shit, a talking dog!
Re: (Score:2)
Security Essentials isn't free (it requires you to buy Windows, so it's not free-as-in-beer, and it's not open-source so isn't free-as-in-libre). It's also b. useless. I've known almost nothing to be stopped by it. There are a great many Russian antivirus tools that seem to work very well, and then there's the ones from Finland (Linux) and Canada (OpenBSD) that also allow you to do useful things as well.
Re: (Score:2)
Security Essentials isn't free (it requires you to buy Windows, so it's not free-as-in-beer, and it's not open-source so isn't free-as-in-libre).
We're talking specifically about Windows systems so this pedantry isn't germane.
It's also b. useless. I've known almost nothing to be stopped by it.
You can't be serious. A machine is just as safe with nothing as it is with Security Essentials? I'm not saying it's better than the competition, I'm saying it's better than nothing. Are you disagreeing with that?
Re: (Score:2)
Yes I am disagreeing with that. I do not regard Security Essentials as better than nothing, I regard it as equal to (at best) and possibly worse than nothing (since it encourages risky behaviour). Security Essentials is about as useful as a perforated condom that has been exposed to intense UV bombardment for a week.
The fact that you're buying Windows doesn't change the fact that you are spending the money to do so, so no it isn
Re: (Score:2)
since it encourages risky behaviour
But we're talking about people who run /no/ AV. If they ran AV there'd be no FBI issue at all here. Even if it were Security Essentials.
So Free-as-in-libre is a perfectly valid point to raise.
Yes, for people who are even aware of what AV is. If you can solve that problem, I'll agree 100%.
Re: (Score:2)
The concerns were various spyware trojans.
Have viruses come back?
Your pedantry isn't germane to the conversation. It's the terminology used in the field [wikipedia.org].
hack is brilliant technically, stupid tactically (Score:4, Insightful)
why did the hackers think they were ever going to get away with it?
it is a brutally effective hack, but...
1. they thought no one was going to notice?
2. and if they noticed, no one was going to do anything about it?
3. and if anyone was going to do anything about it, they didn't see the glaring weak point that would so easily undo all of their hard effort?
commandeer your rogue DNS server. duh!
how come these hackers spent so much time energy and effort in a scheme so easily undone?
this not a matter of "oh, it's easy to point problems in hindsight". these guys obviously had the intellectual capacity to think through the technical requirements of their hack. so they obviously had the intellectual capacity to think through the tactical requirements. none of them said "it will never work: single easy point of failure."
"These are the thoughts of Paul Vixie who worked with the FBI in intercepting servers used by a gang of Estonian hackers who made millions of dollars from redirecting internet users away from the websites they requested, directing them to advertisements instead."
well ok, jokes on me: they realized the weakness, and they bet the authorities were going to react slowly, and they won the bet
Re: (Score:2)
The problem with DNS poisoning is that DNS caches change slowly. Also, DNS is often slow and unreliable so zone transfers to locally mirror the bits of DNS needed is a fairly routine practice. This keeps the poison in the system.
And the right way? (Score:2)
CRON (Score:2)
Re: (Score:2)
10 04 * * * sleep 15 && /usr/local/bin/comand.sh
done, its fixed
Re: (Score:2)
If you need run something every second why not have it be a persistent application? If you want cron to do it it's a pretty trivial hack to do so.
Remember back when... (Score:4, Informative)
As opposed to today when uhh...
At what point did the average home user understand or care about security? We should consider ourselves lucky that service providers at least pretend to care about security these days. Any home user that can understand computer security policy and practice is most likely in the industry, or trained to do so.
Now a High School / GED level computer security class might sound hilariously basic for someone on Slashdot; but might be as useful as drivers ed classes for the masses. Sure there are morons that will drive/compute unsafely no matter what training, but some basic learning on how to protect one's self would really help intelligent people that just don't know better.
Re: (Score:2)
Today, computer users don't understand AND simply don't care about the risks involved. Since it's a boolean AND, not a boolean OR, there's no uncertainty involved.
Correct link to cited Vixie post (Score:5, Informative)
As has become all too common the /. summary is linked to a negative-added-value article at the totally worthless IBT.
Paul's actual post is at CircleID: http://www.circleid.com/posts/20120327_dns_changer/ [circleid.com] and is over 3 months old. Not news. As is normal for Paul it is well written and smart but if you've been following DNSChanger, you've read this already.
Paul Vixie and Dirk Diggler star in... (Score:2)
>> Paul Vixie
Not a bad porn star name. Or is he just a huge Fox and the Hound fan?
Behavior not new (Score:4, Interesting)
Victims of the DNS Changer malware think they have better things to do than check their internet security
Victims of food poisoning think they have better things to do than check their food safety. Victims of STDs think they have better things to do than practice safe sex. Victims of car theft think they have better things to do than lock their car doors. Victims of lightning strikes think they have better things to do than to seek cover in a storm.
Humans have always engaged in risky behavior, and generally for the same old reasons. You can educate those willing to listen, but you can't force those who won't.
Re: (Score:2)
Yes, humans have always engaged in risky behaviour. And when done appropriately, this works extremely well. With appropriate risk-taking, you can maximize your benefits and minimize your costs.
Of course, there's always INappropriate risk-taking. The Darwin Awards are based on one form, the Gor novels on another.
One way is to catch outbound Spam (Score:2)
In a discussion with a network capacity planning firm some time ago, the discussion turned to the amount of outgoing spam that ISPs let flow out of their systems, while at the same time madly filtering incoming spam.
A defence in depth would arguably be more effective, as much as four times as effective for the same amount of work, and probabilistically even better.
The arguments we heard were that the ISPs could not legally block their customer's outgoing mail. In fact, the same applied to blocking thei
Re: (Score:2)
I already get spam that pretends to be my mail server and instructs me to open the attached file to figure out why "my" message was rejected. Do we really want to encourage this pattern?
Re: (Score:2)
Cheap marketing and greed (Score:3)
It's at the core of all the problems. Many see the internet as [near]-free advertising and easy and anonymous commerce. Trust is placed in all of the wrong places.
This, of course, was all inevitable. We are not going to overcome human nature, impulse or desire. There were things that could have been done to prevent that. The internet was not designed for or intended for the uses we have put it to today. But even in its early days, people were quite annoyed by mass emails among many other things. So I guess I am saying "they should have known" and should have adjusted and updated the internet's protocols with these problems in mind.
The internet was not considered a "public internet" initially and so there was a weird notion that everyone can and should trust one another. People will always ruin Utopia. It is easier to blame the few than to blame the masses and it is the masses who are "ruining" the internet. The few who engineered the internet could have and should have done things to fix it. Now the standards and protocols are pretty much at "critical mass" and they are "too big to change."
Re: (Score:2)
Within 24 hours of the Salt Lake lawyers spamming Usenet with advertising and publishing a book on how to pervert the Internet into an electronic billboard, it was obvious to 99%+ of the community that protocols needed replacing.
Since that time, the other 1% have ripped ALL the security features out of IPv6, deprived the Internet of electronic congestion controls, exterminated network neutrality and otherwise done everything that 1%-ers usually do to make life hell for the 99%.
We really need an Occupy Gophe
Computer administration (Score:2)
One of the basic problems today is when you buy as PC it doesn't come with an administration service. You, the purchasor are expected to "figure it out". Well, most people do not and that clearly should not be news to anyone. The result is that there are a lot of computers that are causing trouble for everyone on the Internet.
Who should be responsible? Clearly not the computer owner unless we start enforcing some education requirements and have real penalties for allowing your computer to be used for cr
Re: (Score:2)
There are really only two options... either turns computers into centrally managed appliances, completely restricting a user's ability to do what they want with them, or set up a computer use licensing system akin to a drivers license, and you need to be able to pass a test for basic competence before being allowed to purchase one.
Re:Computer administration (Score:4, Insightful)
Wasn't this the original intent of the web browser? Rather than connecting your computer to a network of other PCs and running executable files, internet users would be able to set up "webpages" using a markup language that did not execute code on the computers of others who were only viewing the webpage. Drive-by virus downloads were not even possible back in 1995 or 1997 when web browsers actually "browsed" the internet. But browsing endless pages of text, sound, graphics, pictures, GIF animations and even motion video was not enough. Users wanted more interaction. They wanted in-browser games rather than playing stand-alone games in multiplayer mode. They wanted interactive web applications that could perform calculations, not just read back text and pictures like a magazine. Rather than standing against the demands of the uneducated masses due to the risk of anonymous cyber criminals hijacking their machines, HTML was enhanced with JavaScript, Flash and other exotic tools. The browsers made add-ons available and later these functions were buried and integrated deep within the next release of the bare bones browser. Like a boy crying "wolf" the browsers began warning users of the dangers of clicking a hyperlink, allowing cookies, allow scripts, leaving a secure site, certificate missing, etc. while at the same time very few of the websites users needed to see could be accessed without these warnings. Naturally the users began to dismiss most if not all of the automated warning notices. With time the scale and bloat of web browsers increased to surpass that of whole operating systems of old. Plug-ins, pop-ups, location sharing, data mining cookies, and notifications became standard industry practice. The malware hackers had endless fun with the complex, bloated, and vulnerable layers of code that left gaping exploits such that even a benign jpg image could become the carrier for a globally devastating virus. Hackers were even able to add malicious code to legitimate sites. Before long the intrinsically safe browser became the PC users most vulnerable liability.
A new "that's what she said"? (Score:2)
"""
At its height, DNSChanger infected four million computers in 100 countries, with around 300,000 still under its control - something many victims are unaware of and unable to fix.
Like us on Facebook
"""
I'm sorry they're unaware of and unable to fix themselves, and therefore still under DSNChanger's control, on Facebook.
Or vagina.
Better things to do... (Score:2)
Well gee... they have better things to do than worry about internet security? Well *I* have better things to do than worry about cleaning up after their incompetence and lack of responsibility.
Being hit by malware sucks. But being hit by malware because you actively refuse to take even basic precautions... well, you deserve anything that happens to you. It's like willingly walking into the middle of a warzone and then complaining because you got shot.
Non-story of the decade (Score:2)
Re: (Score:2)
Nothing happened in 2000 not because Y2K was a non-story, but because the IT industry practically doubled in size for 3 years to fix billions of programs on a global scale.
All wrong? (Score:3)
"...we're dealing with malware in completely the wrong way."
So what would he suggest?
Many problems in technology, computer-related or not, can take design lessons from nature. Nature's methods tend to be very elegant and ingenious, worth replicating in the digital world.
How do our bodies deal with viruses or other organic "malware"? Antibodies may be the best analog to antivirus software, as they work in a very similar way. White blood cells are more intelligent and active, possibly more like heuristic algorithms applied network-wide. Barriers (skin) functions something like firewalls.
I have to disagree with the author. We're not doing it all wrong. We just need to keep looking for new ways to make it harder for malware to survive. Yes, it's an arms race, it always will be. Same as nature...we learn to conquer bacteria, only to have superbugs crop up, that are resistant to antibiotics.
Malware is a fact of life, both digital and organic.
Moderate parent up, please! (Score:2)
Point to a "you need to fix your computer page?" is brilliant and obvious. Darn, why didn't I think of that!
--davecb
Re: (Score:2)
Point to a "you need to fix your computer page?" is brilliant and obvious. Darn, why didn't I think of that!
The last five times Slashdot has run this story in the last two weeks, 50% of the spots have made that suggestion. Proves that no one reads the articles, the summaries, or anyone else's comments.
Re: (Score:2)
Re: (Score:2)
Point to a "you need to fix your computer page?" is brilliant and obvious. Darn, why didn't I think of that!
--davecb
Bad idea.
Do you know how many fake "you have a virus click here to remove it" malware pages are out there?
How is your average user supposed to know the fbi's site is real.
Re: (Score:2)
Because it doesn't have a link, just the usual kind of language you see when it's a non-commercial entity: "choose a reliable provider of antivirus programs, and follow their instructions for the removal of the DNS Changer virus".
--dave