Hackers hit key Internet traffic computers
Its amazing how reporters has to butcher technology information to make it understood by their editors http://www.cnn.com/2007/TECH/internet/02/06/internet.attacks.ap/index.html?e...
Its amazing how reporters has to butcher technology information to make it understood by their editors
http://www.cnn.com/2007/TECH/internet/02/06/internet.attacks.ap/ index.html?eref=rss_topstories
Ugh, yeah. Things look pretty good presently. <http://www.cymru.com/monitoring/dnssumm/index.html> -- Rob Thomas Team Cymru http://www.cymru.com/ cmn_err(do_panic, "Out of coffee!");
It was clear from the highly reliable index I call the "Nanogdex" that nothing was seriously amiss. Ndex value of 0, i.e. no traffic on-list, means either "all systems go!" or "outage so serious that Mitre is unreachable. Stockpile ammunition" Ndex value of 5, i.e. +/=100 mails/day, means "serious crisis" A caveat - Ndex 4 is usually "situation normal, members bored and discussing the relative merits of the Chicago and Kansas City cable tie knots."
On Feb 7, 2007, at 6:27 AM, Jeff Kell wrote:
Alexander Harrowell wrote:
It was clear from the highly reliable index I call the "Nanogdex" that nothing was seriously amiss.
Yes, but it got so much bloody press that ambitious copycats can't be too far behind.
When 2 of 13 root systems are affected (>90% loss), how many systems will withstand such an attack when targeted lower within the hierarchy? FWIW, the attack rates did not seem that high. -Doug
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Douglas Otis wrote:
On Feb 7, 2007, at 6:27 AM, Jeff Kell wrote:
Alexander Harrowell wrote:
It was clear from the highly reliable index I call the "Nanogdex" that nothing was seriously amiss.
Yes, but it got so much bloody press that ambitious copycats can't be too far behind.
When 2 of 13 root systems are affected (>90% loss), how many systems will withstand such an attack when targeted lower within the hierarchy? FWIW, the attack rates did not seem that high.
-Doug
- ------------------------------------ On the same note and this just an observation, I hear two thoughts, some talk not using anycast and then there are others who stand their ground about anycast deployment. Looking at these attacks, F in particular, if my memory serves me correct, there are 35 f-root anycast nodes deployed. Maybe this helped in some respect. Then again, I like to see what kind of analysis comes out from the collected data. regards, /virendra -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFyjWbpbZvCIJx1bcRAipMAJ9gNkyYS0BTR4jVrBP8PiZ9CyILDACcC8Jx MNiY9T6Wzi60KtgaK3qLqnM= =kJk7 -----END PGP SIGNATURE-----
On 7-Feb-2007, at 15:24, virendra rode // wrote:
Looking at these attacks, F in particular, if my memory serves me correct, there are 35 f-root anycast nodes deployed. Maybe this helped in some respect.
Dave Knight's lightning talk in Toronto seemed to indicate that F's anycast platform did a good job at sinking the bulk of the attack traffic in Seoul and Beijing, and that the spill-over from the region was mopped up easily by the very large nodes in California. Most other locations that have a local F-root server saw very little impact. Isolation of attack traffic seems like a big help to me.
Then again, I like to see what kind of analysis comes out from the collected data.
Joe
On 2/7/07, Alexander Harrowell <a.harrowell@gmail.com> wrote:
A caveat - Ndex 4 is usually "situation normal, members bored and discussing the relative merits of the Chicago and Kansas City cable tie knots."
to be fair that was a pretty informative discussion for those of us who were still wearing diapers when ma bell was broken up.
On Wed, 7 Feb 2007 10:17:34 -0800 "Aaron Glenn" <aaron.glenn@gmail.com> wrote:
On 2/7/07, Alexander Harrowell <a.harrowell@gmail.com> wrote:
A caveat - Ndex 4 is usually "situation normal, members bored and discussing the relative merits of the Chicago and Kansas City cable tie knots."
to be fair that was a pretty informative discussion for those of us who were still wearing diapers when ma bell was broken up.
But that aspect was wasted time, since they're putting Ma Bell back together again... --Steve Bellovin, http://www.cs.columbia.edu/~smb
But that aspect was wasted time, since they're putting Ma Bell back together again...
Speaking of putting Ma Bell Back together again - you have to see this You Tube Video on AT&T - before they yank it. It does accurately chronicle the AT&T divestiture and Assembly again. http://www.youtube.com/watch?v=YtFtcp4mNzA ENJOY. Cheers, Hank
On Tue, 6 Feb 2007, Roy wrote:
Its amazing how reporters has to butcher technology information to make it understood by their editors
http://www.cnn.com/2007/TECH/internet/02/06/internet.attacks.ap/index.html?e...
Do we keep missing opportunities? Yes, it was a minor incident, just like a minor earthquake, the hurricane that doesn't hit, the fire that is exitinguished. But it was also an opportunity to get the message out to the public about the things they can do to take control. We remind people what to do in a tornado, earthquake, flood, hurricane, etc. This on-going education does help; even though some people still drive their cars through moving water or go outside to watch the tornado. Instead of pointing fingers at South Korea, China, etc, every country with compromised computers (all of them) are the problem. The United States may be slow as far as broadband, but it makes up for it in the number of compromised computers. We may know the drill, but it doesn't hurt to repeat message everytime we have the public's attention for 15 seconds. 1. Turn on Automatic Update if your computer isn't managed by a full-time IT group. Microsoft Windows, Apple MAC OS/X, and several versions of Linux have Automatic Update available. Most vendors make security patches available to users whether or not the software is licensed or un-licensed. Zero day exploits may be sexy and get the press attention, but the long-term problem are the computers that never get patched. The VML exploit on the football stadium websites was patched last month; but its not how fast a patch is released, its how fast people install it. 2. Use a hardware firewall/router for your broadband connection and turn on the software firewall on your computer in case you ever move your computer to a different network. Use Wireless security (WEP, WPA, VPN, SSL, etc) if using a WiFi access point, or turn off the radio on both your home gateway and computer if you are not using WiFi. 3. Even if your computer is secure, miscreants depend on your trust. Be suspicious of messages, files, software; even if it appears to come from a person or company you trust. Anti-spam, anti-spyware, anit-virus, anti-phishing tools can help. But don't assume because you are using them, you can click on everything and still be safe. The miscreants are always finding new ways around them. It may just be human nature, but people seem to engage in more risky behavior when they believe they are protected. 4. If your computer is compromised, unplug it until you can get it fixed. Its not going to fix itself, and ignoring the problem is just going to get worse.
Sean makes a good point, but there is one small problem with his suggestions. He is preaching to the choir. I really really hope everyone on this list knows how to do some basic security on their personal computers (not to mention the collection of security experts that are on this list). The real problem here is getting the word out to regular users about computer security. Point-in-case. A friend of mine was recently buying her daughter a new computer for her birthday. So she asked me to give them suggestions and look over the specs of a few models they where considering. On the print outs she handed me (I think from Dell) she had unchecked the AV and firewall software. When I asked her why, she responded with "oh we trust our daughter, she won't go to any bad websites so anti-virus and firewall software is just an unneeded expense"... It is this type of mentality that is common among consumers. Another time I was do some consulting work for a NPO. I was going over the findings of my audit and I told the IT manager that all of his machines were missing patches. His response: "we only install service packs, individual patches take too much time to install and tend to break more stuff than they fix". Ironically, a month latter he calls me back asking for help because his network got infect with Blaster... Last story. In a pervious job one of my duties was to maintain the internet connection and firewall. One day I get an automatic page that our outbound bandwidth is maxed. Checking the router, sure enough, 100% utilization. So I began to back track the traffic, it all originated from the helpdesk subnet. My first assumption was that they were trying to disinfect someone's computer that got a virus. So I walked down to the desk ready to yell at the genius who plugged the computer into the production network. But I found that there were no computers in for service... Checked the router, still maxing out the internet, so I check each of the IPs of the tech workstations and found that the manger's computer matched. Checked the NIC light, blinking crazy. This definitely was the computer. Ask the manger if he knew anything about this, and he responded "well there was this odd email we got in the helpdesk mailbox, I figured it was a virus, and I wanted to see what happened if I ran it. So I downloaded and ran the .exe. But nothing happened, so I thought it must have been broken or something like that"... This guy is the helpdesk manager (who really should know better) and is knowingly running malicious code on his work computer (while logged in with a privileged account). So if there is anything to get from the above stories, is that when it comes to computer security, the average person is very very under educated. So where I think the real focus should be is not to scare people about attacks on abstract concepts like root servers, but instead try to educate them on personal computer security. I want to see a CNN special about someone who had their identity stolen because his did not have anti-virus software. I want to see interviews with computer criminals saying that they could have not hacked into personal computers if only the owners had put on firewalls. I want to see the media show the horror stories that a lack of personal computer security can do and then show people how to keep it from happening to them. My $0.02, Adam Stasiniewicz -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Sean Donelan Sent: Saturday, February 10, 2007 10:41 PM To: nanog Subject: Every incident is an opportunity (was Re: Hackers hit key Internet traffic computers) On Tue, 6 Feb 2007, Roy wrote:
Its amazing how reporters has to butcher technology information to make it understood by their editors
http://www.cnn.com/2007/TECH/internet/02/06/internet.attacks.ap/index.ht ml?eref=rss_topstories Do we keep missing opportunities? Yes, it was a minor incident, just like a minor earthquake, the hurricane that doesn't hit, the fire that is exitinguished. But it was also an opportunity to get the message out to the public about the things they can do to take control. We remind people what to do in a tornado, earthquake, flood, hurricane, etc. This on-going education does help; even though some people still drive their cars through moving water or go outside to watch the tornado. Instead of pointing fingers at South Korea, China, etc, every country with compromised computers (all of them) are the problem. The United States may be slow as far as broadband, but it makes up for it in the number of compromised computers. We may know the drill, but it doesn't hurt to repeat message everytime we have the public's attention for 15 seconds. 1. Turn on Automatic Update if your computer isn't managed by a full-time IT group. Microsoft Windows, Apple MAC OS/X, and several versions of Linux have Automatic Update available. Most vendors make security patches available to users whether or not the software is licensed or un-licensed. Zero day exploits may be sexy and get the press attention, but the long-term problem are the computers that never get patched. The VML exploit on the football stadium websites was patched last month; but its not how fast a patch is released, its how fast people install it. 2. Use a hardware firewall/router for your broadband connection and turn on the software firewall on your computer in case you ever move your computer to a different network. Use Wireless security (WEP, WPA, VPN, SSL, etc) if using a WiFi access point, or turn off the radio on both your home gateway and computer if you are not using WiFi. 3. Even if your computer is secure, miscreants depend on your trust. Be suspicious of messages, files, software; even if it appears to come from a person or company you trust. Anti-spam, anti-spyware, anit-virus, anti-phishing tools can help. But don't assume because you are using them, you can click on everything and still be safe. The miscreants are always finding new ways around them. It may just be human nature, but people seem to engage in more risky behavior when they believe they are protected. 4. If your computer is compromised, unplug it until you can get it fixed. Its not going to fix itself, and ignoring the problem is just going to get worse.
3. Even if your computer is secure, miscreants depend on your trust. Be suspicious of messages, files, software; even if it appears to come from a person or company you trust.
Anti-spam, anti-spyware, anit-virus, anti-phishing tools can help. But don't assume because you are using them, you can click on everything and still be safe. The miscreants are always finding new ways around them.
It may just be human nature, but people seem to engage in more risky behavior when they believe they are protected.
4. If your computer is compromised, unplug it until you can get it fixed.
Its not going to fix itself, and ignoring the problem is just going to get worse.
5. Paying for AV software is not a solution, no matter how often it's been on TV. (Norton - the antivirus software one finds on virus-infected computers)
On Sun, Feb 11, 2007, Alexander Harrowell wrote:
5. Paying for AV software is not a solution, no matter how often it's been on TV. (Norton - the antivirus software one finds on virus-infected computers)
Don't forget the trojan payload lately that used a cracked copy of Kaspersky AntiVirus to catch subsequent infecters. :) http://sunbeltblog.blogspot.com/2006/12/hacked-version-of-dr-web-antivirus.h... Adrian
My two (and a half) cents. 1. Systems that need a firewall, antivirus and antispyware software added on to survive for more than a few minutes SHOULD NOT BE CONNECTED TO THE INTERNET IN THE FIRST PLACE. They're simply not good enough. It's like bringing a knife to a gunfight. (nod to Mr. Connery) 2. The idea that you can run a program on a known-compromised OS and count on that program to detect and/or remove the problem is fundamentally flawed. The only way to have much confidence in the former is to boot from a known-UNcompromised OS and run it from there; the only way to have some confidence in the latter is to wipe the drives and start over. And there are still ways that both of these can fail (e.g., sufficiently clever malware which hides from the first and manages to survive the second by concealing itself in restored data). Hitting the "scan and disinfect" button or whatever they call it this week is well on its way to becoming a NOOP. 3. Banks, credit card companies, and numerous online merchants have trained their users to be excellent phish victims by training them to read their mail with a web browser. Anyone who is serious about stopping phishing will stop sending mail marked up with HTML. 4. Network operators need to be far more proactive about keeping Bad Stuff from *leaving* their networks. (After all, if it can be be detected inbound to X's network, then in most cases it can be detected outbound from Y's -- the exceptions being things like slow, highly distributed attacks which originate nowhere and everywhere.) 5. I have no sympathy for anyone who still uses the IE and/or Outlook malware-and-exploit-propagation-engines-disguised-as-applications. Not that the alternatives are panaceas -- of course they're not -- but at least they're a big step away from two of the primary compromise vectors. I figure little, if anything, substantive will be done about 1-4, but I have some hope that 5 is simple enough that sufficient repetition will eventually have some effect. ---Rsk
On Sat, 10 Feb 2007, Stasiniewicz, Adam wrote:
Sean makes a good point, but there is one small problem with his suggestions. He is preaching to the choir.
Just trying to get the choir to sing on key. Of course, I know the choir will probably spin off singing 18 different songs. Local interest. The next security incident, can the security experts in the US talk about what US readers can do. Experts in Europe talk about European readers can do. Experts in China, Australia, India, Brazil, Antarctica talk about what readers in those areas can do. I have no idea when, where or what the next incident will be, but can guess it will involve the usual problems. Turn on automatic update, turn off services you don't use, don't believe everything you read on the net.
On Sun, 11 Feb 2007, Sean Donelan wrote:
On Sat, 10 Feb 2007, Stasiniewicz, Adam wrote:
Sean makes a good point, but there is one small problem with his suggestions. He is preaching to the choir.
Just trying to get the choir to sing on key. Of course, I know the choir will probably spin off singing 18 different songs.
Local interest.
The next security incident, can the security experts in the US talk about what US readers can do. Experts in Europe talk about European readers can do. Experts in China, Australia, India, Brazil, Antarctica talk about what readers in those areas can do.
I have no idea when, where or what the next incident will be, but can guess it will involve the usual problems.
Turn on automatic update, turn off services you don't use, don't believe everything you read on the net.
Preaching to the choir indeed, only the choir is not the users. The Internet is not a secure place and we can force no one to secure their computers. We can throw them off our networks if they don't, as they cost us more than they pay. Gadi.
On 11 Feb 2007, Paul Vixie wrote:
sean@donelan.com (Sean Donelan) writes:
... don't believe everything you read on the net.
you had me right up until that last part, which is completely unreasonable.
I think it's not only reasonable, but is the only sane way to approach content on the net. Why do you feel it's unreasonable? Or are you being sarcastic? (It's impossible to tell) -- Steve Sobol, Professional Geek ** Java/VB/VC/PHP/Perl ** Linux/*BSD/Windows Victorville, California PGP:0xE3AE35ED It's all fun and games until someone starts a bonfire in the living room.
... don't believe everything you read on the net.
you had me right up until that last part, which is completely unreasonable.
I think it's not only reasonable, but is the only sane way to approach content on the net. Why do you feel it's unreasonable? Or are you being sarcastic? (It's impossible to tell)
i mean it's never going to happen, and is therefore totally unrealistic, and that any plan with that as a required element is doomed at the outset, and we had better figure out alternative plans. you might just as well ask for rivers to flow backwards, or dogs and cats to live together in harmony, or an educated american electorate, as to ask that folks stop believing everything they read on the net | see on tv | etc. are we off-topic yet?
On Sat, 10 Feb 2007 23:36:32 -0600 "Stasiniewicz, Adam" <stasinia@msoe.edu> wrote:
Another time I was do some consulting work for a NPO. I was going over the findings of my audit and I told the IT manager that all of his machines were missing patches. His response: "we only install service packs, individual patches take too much time to install and tend to break more stuff than they fix". Ironically, a month latter he calls me back asking for help because his network got infect with Blaster...
He was both right and wrong -- patches do break a lot of stuff. He was facing two problems: the probability of being off the air because of an attack versus the probability of being off the air because of bad interactions between patches and applications. Which is a bigger risk? It's not an easy question to answer. One scenario that scares me is what happens if the April Patch Tuesday takes out, say, TurboTax, just as Americans are getting ready to file their tax returns. There are no good answers to this question. Of course, being an academic I can view such problems as opportunities, and it is in fact a major focus of my research. Today, though, it's a serious issue for system managers. --Steve Bellovin, http://www.cs.columbia.edu/~smb
He was both right and wrong -- patches do break a lot of stuff. He was facing two problems: the probability of being off the air because of an attack versus the probability of being off the air because of bad interactions between patches and applications. Which is a bigger risk?
That's an argument for an organizational test environment and testing patches before deployment, no? Not an argument against patching. That said, I would LOVE to see MS ship a monthly/quarterly unified updater that's a one-step way to bring fresh systems up to date without slipstreaming the install CD. Then press a zillion of 'em and put them everywhere you can find an AOL CD, for all those folks on dial-up who see a 200MB download and curl up in the fetal position and whimper.
It's not an easy question to answer. One scenario that scares me is what happens if the April Patch Tuesday takes out, say, TurboTax, just as Americans are getting ready to file their tax returns.
<cynic mode> No need to worry about that until MS TaxForm starts shipping. </cynic mode> -- Dave Pooser, ACSA Manager of Information Services Alford Media http://www.alfordmedia.com
On Sun, 11 Feb 2007 10:49:30 -0600 Dave Pooser <dave.nanog@alfordmedia.com> wrote:
He was both right and wrong -- patches do break a lot of stuff. He was facing two problems: the probability of being off the air because of an attack versus the probability of being off the air because of bad interactions between patches and applications. Which is a bigger risk?
That's an argument for an organizational test environment and testing patches before deployment, no? Not an argument against patching. That said, I would LOVE to see MS ship a monthly/quarterly unified updater that's a one-step way to bring fresh systems up to date without slipstreaming the install CD. Then press a zillion of 'em and put them everywhere you can find an AOL CD, for all those folks on dial-up who see a 200MB download and curl up in the fetal position and whimper.
Surveys have shown an inverse correlation between the size of a company and when it installed XP SP2. Yes, you're right; a good test environment is the right answer. As I think most of us on this list know, it's expensive, hard to do right, and still doesn't catch everything. If I recall correctly, the post I was replying to said that it was a non-profit; reading between the lines, it wasn't heavily staffed for IT, or they wouldn't have needed a consultant to help clean up after Blaster. And there's one more thing -- at what point have you done enough testing, given how rapidly some exploits are developed after the patch comes out? --Steve Bellovin, http://www.cs.columbia.edu/~smb
Yes, the place in question was very understaffed. The long term remediation plan I helped them on after the Blaster case was to deploy SUS and acquire a volume license for an AV (they had very spotty and in some sites nonexistent AV coverage on the client machines). With the pressure from upper management, I got the IT manager to do some "basic" tests of patches (manual install on the computers in the IT office and see if anything blew up) then push the patches via SUS. I have seen some fairly reasonable methodologies for deploying patches. In this day, being behind with patches (especially with Microsoft products) is like playing with fire. (That is not to say that it is a good idea to be behind on your *nix updates, they are just as vulnerable to exploit if they are running old versions of internet accessible apps.) Some of the strategies I have seen that work reasonably well at mitigating the risk of damage caused by patches: -Deploy patches to a small amount of computers (one or two per department). This way you get converge of all the apps used. Then after a day or two of no complaints, push patches out to the rest of the computers. -Maintain a collection of computers running all of the critical apps where you can test each patch on. -Wait a few days before patches. During this time monitor mailings lists/blogs/news sites/etc for any reports of problems, if none exist, patch. It should also be noted that over the last few years Microsoft has got a lot better at internally testing patches (remember the NT4 service packs?). So many times for my smaller and less staffed customers and private individuals I advise them to configure for automatic updating. Adam Stasiniewicz -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Steven M. Bellovin Sent: Sunday, February 11, 2007 12:49 PM To: Dave Pooser Cc: nanog Subject: Re: Every incident is an opportunity (was Re: Hackers hit key Internet traffic computers) On Sun, 11 Feb 2007 10:49:30 -0600 Dave Pooser <dave.nanog@alfordmedia.com> wrote:
He was both right and wrong -- patches do break a lot of stuff. He was facing two problems: the probability of being off the air because of an attack versus the probability of being off the air because of bad interactions between patches and applications. Which is a bigger risk?
That's an argument for an organizational test environment and testing patches before deployment, no? Not an argument against patching. That said, I would LOVE to see MS ship a monthly/quarterly unified updater that's a one-step way to bring fresh systems up to date without slipstreaming the install CD. Then press a zillion of 'em and put them everywhere you can find an AOL CD, for all those folks on dial-up who see a 200MB download and curl up in the fetal position and whimper.
Surveys have shown an inverse correlation between the size of a company and when it installed XP SP2. Yes, you're right; a good test environment is the right answer. As I think most of us on this list know, it's expensive, hard to do right, and still doesn't catch everything. If I recall correctly, the post I was replying to said that it was a non-profit; reading between the lines, it wasn't heavily staffed for IT, or they wouldn't have needed a consultant to help clean up after Blaster. And there's one more thing -- at what point have you done enough testing, given how rapidly some exploits are developed after the patch comes out? --Steve Bellovin, http://www.cs.columbia.edu/~smb
On Sat, 10 Feb 2007, Sean Donelan wrote:
On Tue, 6 Feb 2007, Roy wrote:
Its amazing how reporters has to butcher technology information to make it understood by their editors
http://www.cnn.com/2007/TECH/internet/02/06/internet.attacks.ap/index.html?e...
Do we keep missing opportunities?
Yes, it was a minor incident, just like a minor earthquake, the hurricane that doesn't hit, the fire that is exitinguished. But it was also an opportunity to get the message out to the public about the things they can do to take control.
We remind people what to do in a tornado, earthquake, flood, hurricane, etc. This on-going education does help; even though some people still drive their cars through moving water or go outside to watch the tornado.
Colin Powell mentioned at RSA in his extremely good, entertaining and pointless talk something of relevance. During the cold war American kids were trained to hide beneath their desktops in caseof a nuclear attack. Much good that would have done.
Instead of pointing fingers at South Korea, China, etc, every country with compromised computers (all of them) are the problem. The United States may be slow as far as broadband, but it makes up for it in the number of compromised computers.
We may know the drill, but it doesn't hurt to repeat message everytime we have the public's attention for 15 seconds.
And yet, can a non-trained user understand what "awareness" means?
1. Turn on Automatic Update if your computer isn't managed by a full-time IT group.
Microsoft Windows, Apple MAC OS/X, and several versions of Linux have Automatic Update available. Most vendors make security patches available to users whether or not the software is licensed or un-licensed.
Zero day exploits may be sexy and get the press attention, but the long-term problem are the computers that never get patched. The VML exploit on the football stadium websites was patched last month; but its not how fast a patch is released, its how fast people install it.
Amen. 0days have become something petrifying. At my talk at RSA on the subject of 0days and ZERT I started by asking what a 0day is. Any guesses as to how many answers I got? One Answer I did get was that we are all petrified as we can't do anything about it (not true) and won't know about it. I am of the strong belief one should take care of known vulnerabilities first, then start worrying about 0days. That's one thing anyone can start the process of doing (and for organizations, this can take years) which will also result in a better infrastructure to contain and respond to 0day attacks. Still, how many users know how to turn on automatic updates? We are likely to see them go to google, type in "automatic updates" and end up downloading malware.
2. Use a hardware firewall/router for your broadband connection and turn on the software firewall on your computer in case you ever move your computer to a different network.
Use Wireless security (WEP, WPA, VPN, SSL, etc) if using a WiFi access point, or turn off the radio on both your home gateway and computer if you are not using WiFi.
How?? This is where providers can chime in, and provide with pre-secured hardware to any level which is above "come and rape me".
3. Even if your computer is secure, miscreants depend on your trust. Be suspicious of messages, files, software; even if it appears to come from a person or company you trust.
How do I determine what is suspicious? This is a message telling me my mother is sick!
Anti-spam, anti-spyware, anit-virus, anti-phishing tools can help. But don't assume because you are using them, you can click on everything and still be safe. The miscreants are always finding new ways around them.
This is too complicated. I don't understand. So you give me a solution, use this and that tool, and then I need to be careful yet again?
It may just be human nature, but people seem to engage in more risky behavior when they believe they are protected.
The 4-bit encryption issue. I am encrypted and thus protected. I would argue email is simply not a secure medium by which to recieve files. Call and verify when in doubt. "If approached by phone, email or any other medium, verify the source independently in an unrelated fashion to any instructions provided in that approach, before trusting it."
4. If your computer is compromised, unplug it until you can get it fixed.
Its not going to fix itself, and ignoring the problem is just going to get worse.
A user won't unplug him or herself. An ISP might. Today the economy of this changes enough for quite some ISPs to decide it is better to kick a user than give him or her tech support. Enter walled garden. Gadi.
On Sun, 11 Feb 2007, Gadi Evron wrote:
Colin Powell mentioned at RSA in his extremely good, entertaining and pointless talk something of relevance. During the cold war American kids were trained to hide beneath their desktops in caseof a nuclear attack. Much good that would have done.
The important lesson is you can educate people. The content may have been bogus, but it was very effective at reaching most of the population. People who grew up during that era still remember it. If you can come up with a few simple things to do, it is possible to reach most of the public. But we are our own worst enemies. When we have the opportunity, instead of giving the few simple things everyone could do, we create a lot of confusion.
On Mon, 12 Feb 2007, Sean Donelan wrote:
On Sun, 11 Feb 2007, Gadi Evron wrote:
Colin Powell mentioned at RSA in his extremely good, entertaining and pointless talk something of relevance. During the cold war American kids were trained to hide beneath their desktops in caseof a nuclear attack. Much good that would have done.
The important lesson is you can educate people. The content may have been bogus, but it was very effective at reaching most of the population. People who grew up during that era still remember it.
If you can come up with a few simple things to do, it is possible to reach most of the public. But we are our own worst enemies. When we have the opportunity, instead of giving the few simple things everyone could do, we create a lot of confusion.
Show me one simple thing that is very easily achievable, and it will be everywhere at the next "crisis". Giving security advice today is extremely difficult, as it is not always true nor is is easy to give it one meaning. Gadi.
On Mon, Feb 12, 2007 at 01:45:41AM -0500, Sean Donelan <sean@donelan.com> wrote a message of 16 lines which said:
The important lesson is you can educate people. The content may have been bogus,
Right on spot: it is easy to "educate" people with simple and meaningless advices such as "Install an antivirus" or "Hide under the desk" or (my favorite, now known by most ordinary users) "Do not open attachments from unknown recipients". But most security risks do not require "monkey advices" (advices that an ordinary monkey could follow). They require intelligence, knowledge in the field, and time, all things that are in short supply. The discussion about the NPO who had the choice between breaking stuff that works because of patches or risking an attack was a very good one and the "IT manager" at the NPO was quite reasonable, indeed: the aim is not security (except for security professionals), the aim is to have the work done and, if you listen only the security experts, no work will ever be done (but you will be safe).
If you can come up with a few simple things to do, it is possible to reach most of the public.
Sure, just find these few simple things that will actually improve security. (My personal one would be "Erase MS-Windows and install Ubuntu". If we are ready to inconvenience ordinary workers with computer security, this one would be a good start.)
On Mon, 12 Feb 2007, Stephane Bortzmeyer wrote:
On Mon, Feb 12, 2007 at 01:45:41AM -0500, Sean Donelan <sean@donelan.com> wrote a message of 16 lines which said:
The important lesson is you can educate people. The content may have been bogus,
<snip>
If you can come up with a few simple things to do, it is possible to reach most of the public.
Sure, just find these few simple things that will actually improve security. (My personal one would be "Erase MS-Windows and install Ubuntu". If we are ready to inconvenience ordinary workers with computer security, this one would be a good start.)
As a very smart person said a couple of weeks ago when this same argument was made: are you willing to do tech-support for my mother is she uses linux? Gadi.
On Mon, Feb 12, 2007 at 03:23:26AM -0600, Gadi Evron <ge@linuxbox.org> wrote a message of 25 lines which said:
As a very smart person said a couple of weeks ago when this same argument was made: are you willing to do tech-support for my mother is she uses linux?
I already do it. With my mother, not yours. And she uses MS-Windows so I can testify that the whole argument "MS-Windows requires less tech support than Unix" is completely bogus.
On 2/12/07, Gadi Evron <ge@linuxbox.org> wrote:
As a very smart person said a couple of weeks ago when this same argument was made: are you willing to do tech-support for my mother is she uses linux?
Gadi.
Name anyone techie who doesn't have to do tech support for their mother on MS Windows..
On Mon, Feb 12, 2007 at 09:31:21AM +0000, Alexander Harrowell <a.harrowell@gmail.com> wrote a message of 28 lines which said:
Name anyone techie who doesn't have to do tech support for their mother on MS Windows..
Political fix: and their father, too :-)
On Mon, 12 Feb 2007, Alexander Harrowell wrote:
On 2/12/07, Gadi Evron <ge@linuxbox.org> wrote:
As a very smart person said a couple of weeks ago when this same argument was made: are you willing to do tech-support for my mother is she uses linux?
Gadi.
Name anyone techie who doesn't have to do tech support for their mother on MS Windows..
Especially on family holidays, right? Tech support on usability is not that much of an issue as it is on Linux, whether because of years of use and becoming used to the Microsoft interface, or because no matter what Linux is just not that user friendly. Tech support on Windows has interface questions, but much less than on Linux. The real question is, are you willing to support my mother, too? 1. What would be the cost of doing such tech support at an ISP compared to Windows? 2. How secure would Linux be if massively used and in a default installation. We already have massive Linux server botnets, let's avoid the home users. x Gadi.
On Feb 12, 2007, at 4:31 AM, Alexander Harrowell wrote:
On 2/12/07, Gadi Evron <ge@linuxbox.org> wrote:
As a very smart person said a couple of weeks ago when this same argument was made: are you willing to do tech-support for my mother is she uses linux?
Gadi.
Name anyone techie who doesn't have to do tech support for their mother on MS Windows..
The ones whose Mom's got Macs, of course. (Well, in my case it's my Mother-in-Law, but the tech support required has dramatically reduced.) Regards Marshall
Name anyone techie who doesn't have to do tech support for their mother on MS Windows.. The ones whose Mom's got Macs, of course. (Well, in my case it's my Mother-in-Law, but the tech support required has dramatically reduced.)
Marshall beat me to it. I have a T-shirt that says "Mac: So simple my parents can use it." It's funny because it's true. -- Dave Pooser, ACSA Manager of Information Services Alford Media http://www.alfordmedia.com
On Mon, 12 Feb 2007 09:51:38 -0600 Dave Pooser <dave.nanog@alfordmedia.com> wrote:
Marshall beat me to it. I have a T-shirt that says "Mac: So simple my parents can use it." It's funny because it's true.
Why do I keep hearing "My parents are stupid" in these sorts of comments? Just wait. They get smarter as you get older. -- D'Arcy J.M. Cain <darcy@druid.net> | Democracy is three wolves http://www.druid.net/darcy/ | and a sheep voting on +1 416 425 1212 (DoD#0082) (eNTP) | what's for dinner.
My Mom kicks all you's buttocks. Got a Radio Shack franchise in 1983, we kids got in on the ground floor of personal computing (on Color Computers and TRS-80's). She does tech support for others her age. Or did, in Colorado in a community for older folks, and is now in Costa Rica figuring out how to get online. Seth Johnson Marshall Eubanks wrote:
On Feb 12, 2007, at 4:31 AM, Alexander Harrowell wrote:
On 2/12/07, Gadi Evron <ge@linuxbox.org> wrote:
As a very smart person said a couple of weeks ago when this same argument was made: are you willing to do tech-support for my mother is she uses linux?
Gadi.
Name anyone techie who doesn't have to do tech support for their mother on MS Windows..
The ones whose Mom's got Macs, of course. (Well, in my case it's my Mother-in-Law, but the tech support required has dramatically reduced.)
Regards Marshall
-- RIAA is the RISK! Our NET is P2P! http://www.nyfairuse.org/action/ftc DRM is Theft! We are the Stakeholders! New Yorkers for Fair Use http://www.nyfairuse.org [CC] Counter-copyright: http://realmeasures.dyndns.org/cc I reserve no rights restricting copying, modification or distribution of this incidentally recorded communication. Original authorship should be attributed reasonably, but only so far as such an expectation might hold for usual practice in ordinary social discourse to which one holds no claim of exclusive rights.
On Mon, 12 Feb 2007 03:23:26 -0600 (CST) Gadi Evron <ge@linuxbox.org> wrote:
As a very smart person said a couple of weeks ago when this same argument was made: are you willing to do tech-support for my mother is she uses linux?
Yes. Well, not your mother (unless she paid me) but I used to support my father and I ran Unix on his system. It was great. If he had a problem I could generally get into his system and work on it as if I was right there except he couldn't watch over my shoulder and interrupt me every 30 seconds with questions. Now he uses WindBlows and it is easier for me only beause I can send him to my siblings for support. If I am willing to support someone who doesn't understand the technology I would rather put them on Unix rather than MSW. -- D'Arcy J.M. Cain <darcy@druid.net> | Democracy is three wolves http://www.druid.net/darcy/ | and a sheep voting on +1 416 425 1212 (DoD#0082) (eNTP) | what's for dinner.
On Mon, 2007-02-12 at 10:13 +0100, Stephane Bortzmeyer wrote:
Sure, just find these few simple things that will actually improve security. (My personal one would be "Erase MS-Windows and install Ubuntu". If we are ready to inconvenience ordinary workers with computer security, this one would be a good start.)
Isn't that like treating smallpox with anthrax? Consumers are cheap and lazy. What they need is a serious incentive to care about security. Society holds individuals accountable for many forms of irresponsible behaviour. There's no need to make exceptions for computer users. Make computer-owners/users pay in full for damages caused by their equipment with no discount for incompetence. Insecure products might then be considered inappropriate for public consumption and that would be a powerful signal to the IT industry to change their ways. Maybe the market also finally would challenge the validity (or even existence) of std.disclaimer statements common in today's software licences. -- Per Heldal - http://heldal.eml.cc/
I've worked in security for some time, not that it makes me an expert but I have seen how it is promoted/advertised. On Feb/12/07, someone wrote:
Consumers are cheap and lazy.
I think that is the wrong place to start. It isn't the consumer's fault that they have a device more dangerous than they think. Look at what the are being sold - a device to store memories, a device to entertain them, a device to connect with people they want to talk to. Everyone economizes on what they think is unimportant. A consumer doesn't care for the software, they care for the person on the other side of the connection. They care about the colors in the office, the taste of the food, etc. So it may appear they "low-ball" that part of the computer equation. My point is that it is convenient to blame this on the consumers when the problem is that the technology is still just half-baked.
What they need is a serious incentive to care about security.
I find this to be a particularly revolting thought with regards to security. Security is never something I should want, it is always something I have to have. Not "need" but something I am resigned to have to have. This is like saying "folks will have to die before a traffic signal is put here" or "more planes will have to be taken by hijackers before the TSA is given the funding it needs." Security shouldn't wait for a disaster to promote it - you might as well be chasing ambulances. Security has to resign itself to being second-class in the hearts and minds of society. Security has to be provided in response to it's environment and not complain about it's lot in life. (I realize that this post doesn't say anything about people "dying" - I've heard that in other contexts.)
Society holds individuals accountable for many forms of irresponsible behaviour.
This is true, but individuals are not held entirely accountable. A reckless driver can cause a multi-car accident on an exit ramps and cause a tie up for the entire morning rush. Are the "victims" of this compensated? What about the person who loses a job offer because of a missed interview and suffers fallout from that? And maybe it isn't recklessness. A failed water pump may cause a breakdown, followed by an accident, etc. Mentioned just to spread the analogy out.
There's no need to make exceptions for computer users. Make computer-owners/users pay in full for damages caused by their equipment with no discount for incompetence.
If that happened, then computer users would be the exception. I can't think of any situation in which an accident might occur and the one causing the accident pays in full to everyone.
Insecure products might then be considered inappropriate for public consumption and that would be a powerful signal to the IT industry to change their ways. Maybe the market also finally would challenge the validity (or even existence) of std.disclaimer statements common in today's software licences.
I used to work for a gov't facility whose mission was science. They had a serious telecommunications problem on their hands. Although it was important to solve, they funded science first - up until all the telecom problems became "too annoying" and money was allocated to solve the problem. There are IT security problems. But there are other priorities in life. Instead of complaining that IP security is under appreciated, the case has to be made that the situation is more serious than some other problem. If that case can't be made, than may be IT security is not that big if a deal (to anyone other than you). Don't get frustrated, present a better case. And be prepared that you still may not win. But never wish ill-will (as "serious incentive" alludes to) on someone to prove your point. BTW-This isn't meant to be a critique on one message. It's my reaction to quite a few messages that are similar and to some comments I have heard. Sorry if it seems like I'm attacking a single messenger. -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis +1-571-434-5468 NeuStar "Two years ago you said we had 5-7 years, now you are saying 3-5. What I need from you is a consistent story..."
On Mon, 2007-02-12 at 09:06 -0500, Edward Lewis wrote:
I've worked in security for some time, not that it makes me an expert but I have seen how it is promoted/advertised.
On Feb/12/07, someone wrote:
Consumers are cheap and lazy.
I think that is the wrong place to start. It isn't the consumer's fault that they have a device more dangerous than they think. Look at what the are being sold - a device to store memories, a device to entertain them, a device to connect with people they want to talk to.
Everyone economizes on what they think is unimportant. A consumer doesn't care for the software, they care for the person on the other side of the connection. They care about the colors in the office, the taste of the food, etc. So it may appear they "low-ball" that part of the computer equation.
My point is that it is convenient to blame this on the consumers when the problem is that the technology is still just half-baked.
What they need is a serious incentive to care about security.
I find this to be a particularly revolting thought with regards to security. Security is never something I should want, it is always something I have to have. Not "need" but something I am resigned to have to have. This is like saying "folks will have to die before a traffic signal is put here" or "more planes will have to be taken by hijackers before the TSA is given the funding it needs." Security shouldn't wait for a disaster to promote it - you might as well be chasing ambulances. Security has to resign itself to being second-class in the hearts and minds of society. Security has to be provided in response to it's environment and not complain about it's lot in life.
(I realize that this post doesn't say anything about people "dying" - I've heard that in other contexts.)
You're missing the point. My suggestion lies along the lines of "follow the money-trail". I want consumers held responsible so that they in turn can move the focus to where it belongs; IT vendors.
Society holds individuals accountable for many forms of irresponsible behaviour.
This is true, but individuals are not held entirely accountable. A reckless driver can cause a multi-car accident on an exit ramps and cause a tie up for the entire morning rush. Are the "victims" of this compensated? What about the person who loses a job offer because of a missed interview and suffers fallout from that?
The system isn't perfect but does that mean we should ditch all attempts at regulation. If the no-touch approach towards IT was applied to traffic and the automotive industry we could just as well drop all regulation of traffic. No rules, no offences.
And maybe it isn't recklessness. A failed water pump may cause a breakdown, followed by an accident, etc. Mentioned just to spread the analogy out.
There's no need to make exceptions for computer users. Make computer-owners/users pay in full for damages caused by their equipment with no discount for incompetence.
If that happened, then computer users would be the exception. I can't think of any situation in which an accident might occur and the one causing the accident pays in full to everyone.
That is (as you mention above with driving) mostly because people are covered by some form of insurance. Insurance doesn't mean the driver has no responsibility. Never heard about insurers claiming regress from clients for recklessness? Computer-owners could also be protected that way. Insurers will then help place responsibility where it belongs depending on whether the cause is "reckless computing" or product failure. Insurers also have the resources to help with class-action suits against manufacturers on behalf of their clients should that be necessary. If people can be held responsible for reckless driving, they should not get away with "reckless computing" either. Likewise, software manufacturers should be held accountable for the functionality and quality of their products like any other industry. What remains is to find definitions of these terms which are acceptable to the general public. //per
On 2/12/07, Per Heldal <heldal@eml.cc> wrote:
On Mon, 2007-02-12 at 09:06 -0500, Edward Lewis wrote:
I've worked in security for some time, not that it makes me an expert but I have seen how it is promoted/advertised.
On Feb/12/07, someone wrote:
Consumers are cheap and lazy.
I think that is the wrong place to start. It isn't the consumer's fault that they have a device more dangerous than they think. Look at what the are being sold - a device to store memories, a device to entertain them, a device to connect with people they want to talk to.
Everyone economizes on what they think is unimportant. A consumer doesn't care for the software, they care for the person on the other side of the connection. They care about the colors in the office, the taste of the food, etc. So it may appear they "low-ball" that part of the computer equation.
My point is that it is convenient to blame this on the consumers when the problem is that the technology is still just half-baked.
What they need is a serious incentive to care about security.
I find this to be a particularly revolting thought with regards to security. Security is never something I should want, it is always something I have to have. Not "need" but something I am resigned to have to have. This is like saying "folks will have to die before a traffic signal is put here" or "more planes will have to be taken by hijackers before the TSA is given the funding it needs." Security shouldn't wait for a disaster to promote it - you might as well be chasing ambulances. Security has to resign itself to being second-class in the hearts and minds of society. Security has to be provided in response to it's environment and not complain about it's lot in life.
(I realize that this post doesn't say anything about people "dying" - I've heard that in other contexts.)
You're missing the point. My suggestion lies along the lines of "follow the money-trail". I want consumers held responsible so that they in turn can move the focus to where it belongs; IT vendors.
Society holds individuals accountable for many forms of irresponsible behaviour.
This is true, but individuals are not held entirely accountable. A reckless driver can cause a multi-car accident on an exit ramps and cause a tie up for the entire morning rush. Are the "victims" of this compensated? What about the person who loses a job offer because of a missed interview and suffers fallout from that?
The system isn't perfect but does that mean we should ditch all attempts at regulation. If the no-touch approach towards IT was applied to traffic and the automotive industry we could just as well drop all regulation of traffic. No rules, no offences.
If you take the driver = computer operator argument as valid (pretty close); then here perhaps is the meat of the matter. A driver is someone that has to pass a test and pay for a license to be able to operate a potentially lethal vehicle. Now while in theory a computer can be lethal, in general it is not. With the above said in regards to lethality, regarding the costs potentially involved in incorrect operation a computer can be near a car. Accepting this analogy as true would imply that we should start licensing computer users. Howerver, given the general non-lethality of a computer coupled with the idea that a computer license could potentially stifle our industry and limit innovation/education. (That kid whose parents might just barely be able to afford a PC might not be able to operate it without a license - two fold problem sales and familiarity) So, in regards to not hurting our collective industry (fiscally or in regards to talent to hire down the line) via regulation and/or financial restrictions like insurance, perhaps we should lobby for a tax break from the federal government for computer use training classes. Make it not-OS-specific, as long as you have taken a class that covers an industry body's recommendation for material you get X dollars back from the federal government. Tax breaks, IMO, have been proven to be a great incentive for consumers and corporations alike in regards to influencing the public good. Whereas regulation has generally be a stifling influence on innovation and leads to government bloat and overhead. Thoughts? JB
On Mon, 12 Feb 2007, Edward Lewis wrote:
My point is that it is convenient to blame this on the consumers when the problem is that the technology is still just half-baked.
I wonder if anyone has tried to quantify in economic terms, the worldwide army of people/products/services that have been mobilized to provide technical support and security to windows? I imagine the GDP of this market stacks up with some smaller European countries. It is interesting to ponder for a moment the alternative; the folks in Redmond releasing a stable, secure, less convoluted and easy to use OS. This would be great for the consumer, but what if that consumer works at the support desk, or for McAfee or Symantec or ad ininitum? Windows is a highly entropic OS. So much energy is used configuring, supporting, rebooting, updating, securing it, that the orgininal purpose of using the computer (automation, efficiency, computation) has been subsumed by the task of keeping the beast alive and disease free. A stable/secure version of windows is somewhat like the US moving to a flat tax. An idea that would greatly simplify the tax system, but wipe out an army of accountants, tax attorneys and bureaucrats. Thus it will never happen. There's too many vested interests in the status quo, which is latin for "the mess we're in." craig
On Mon, Feb 12, 2007 at 12:50:20PM +0100, Per Heldal wrote:
On Mon, 2007-02-12 at 10:13 +0100, Stephane Bortzmeyer wrote:
Sure, just find these few simple things that will actually improve security. (My personal one would be "Erase MS-Windows and install Ubuntu". If we are ready to inconvenience ordinary workers with computer security, this one would be a good start.)
Isn't that like treating smallpox with anthrax?
More like treating smallpox with cowpox vaccinations. That, at least, works. -- Joe Yao ----------------------------------------------------------------------- This message is not an official statement of OSIS Center policies.
participants (28)
-
Aaron Glenn
-
Adrian Chadd
-
Alexander Harrowell
-
coonrad
-
D'Arcy J.M. Cain
-
Dave Pooser
-
Douglas Otis
-
Edward Lewis
-
Gadi Evron
-
Hank Zannini
-
Jeff Kell
-
Joe Abley
-
John Bittenbender
-
Joseph S D Yao
-
Marshall Eubanks
-
Paul Vixie
-
Paul Vixie
-
Per Heldal
-
Rich Kulawiec
-
Rob Thomas
-
Roy
-
Sean Donelan
-
Seth Johnson
-
Stasiniewicz, Adam
-
Stephane Bortzmeyer
-
Steve Sobol
-
Steven M. Bellovin
-
virendra rode //