Re: [Full-Disclosure] Calcuating Loss

From: Alexander Schreiber (als_at_thangorodrim.de)
Date: 05/12/04

  • Next message: D B: "Re: [Full-Disclosure] Wireless ISPs" 
    To: "Schmidt, Michael R." <Michael.Schmidt@T-Mobile.com>
Date: Wed, 12 May 2004 07:33:52 +0200

    On Tue, May 11, 2004 at 03:02:30PM -0700, Schmidt, Michael R. wrote:
    > I think that part of the evolution is to lock people who create these
    > things up for a *very* long time. It will deter the script kittens
    > when they start to find that their computers are confiscated and their
    > parents homes are sold to pay for the "loss" incurred by there
    > stupidity. The real black hats will be deterred when 20 FBI/CIA whoever
    > agents drag them from their homes at gunpoint with the handcuffs tight
    > around there wrists.

    Dead wrong. All this will accomplish is the any malware author will just
    be one hell of a lot more careful to avoid getting caught. It might even
    accelerate another trend: malware by script kiddies who goes down,
    malware by real criminals (who use/sell the infected machines as spam
    relays, DDoS zombies (nice extortion tool, already used), ...) will go
    up. Net result: you ruined the live of a few foolish kids and their
    entire family, but you still don't get the (much more dangerous)
    professional criminals. Achievement for network security: NIL.

    > The consequences need to be severe enough. In order to accomplish that
    > our infrastructure has got to support the basic ability to find people
    > who cause problems. Anonymity is not an option.

    Ever heard of identity theft? In the same way that the less stupid
    criminals don't use their own private cars but stolen ones for
    committing crimes, criminal malware authors will just use
    computers/accounts whose access credentials were stolen. You end up
    investigating a fool who got his access credentials stolen, but probably
    didn't do anything else. And you still have to find the real guy ...

    We really should take a lesson from the real world here: valuable
    property (like big bags full of money) are not usually left out on the
    kitchen table and only protected by strong penalties for anyone
    wandering in and grabbing a few - if you tried to rely on this, police and
    insurance would laugh you out of town. Instead, valueable physical
    property is protected by serious physical means of protection (like
    putting your bags full of cash into a big, heavy, unmovable safe) _and_
    legislation to punish the few serious criminals who still manage to
    steal some.

    The way to protect digital infrastructure from the destructive effects
    of malware is to harden the infrastructure itself. Don't use insecure
    operating systems and hope that the 'patch of the day' will keep the
    malware out - because it won't. Don't use sloppily coded, insecure
    software on hope nothing bad will happen because nobody will find out
    how to exploit the flaws - because somebody will find out and exploits
    will happen. Don't build insecure networks and hope nobody will abuse
    them because nobody knows what a mess it is - because somebody will
    abuse them.

    In short: Don't build a house of cards and then try to outlaw the wind,
    build a house of stone and enjoy the fresh air.

    Yes, there are things that are very hard or practically impossible to
    guard against (DoS comes to mind), but practically all malware problems
    are due to avoidable failures: insecure configurations (like executing
    untrusted code from unknown sources by default), coding errors that
    could be avoided by using proper tools (like buffer overflows) and so
    on. Close the existing easy attack paths and then we can deal with the
    remaining few attackers with the law and a lot of attention.

    Regards,
          Alex. 

    -- 
"Opportunity is missed by most people because it is dressed in overalls and
 looks like work."                                      -- Thomas A. Edison
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
  • Next message: D B: "Re: [Full-Disclosure] Wireless ISPs"

    Relevant Pages

    • RE: [Full-Disclosure] Calcuating Loss
      ... All this will accomplish is the any malware author will just ... malware by real criminals (who use/sell the infected machines as spam ... property is protected by serious physical means of protection (like ... Don't use sloppily coded, insecure ...
      (Full-Disclosure)
    • Re: Malware
      ... it does not show that it includes Malware protection but the Security Centre shows that the Malware protection is on all the time and only disappears when I get the warning on the Taskbar. ... The warning disappears if I restart the computer and then the Security Centre show that the Malware protection is on. ... It is still considered by everyone whose opinion matters to me an "adequate" firewall. ...
      (microsoft.public.windows.vista.security)
    • Re: [Full-Disclosure] Calcuating Loss
      ... > Sure there would still be criminals using stolen credentials, ... And if Joe Fool was at home while Jack Badguy drove within range of his ... All this will accomplish is the any malware author will just ... Anonymity is not an option. ...
      (Full-Disclosure)
    • Re: Validation of XP
      ... You can save this base image, then image the system regularly and do file backup as an added measure of protection for the data, but know that if the system get's infected any backups made of the data after the time of infection are suspect and shouldn't be used. ... Besides a good AV program there should be several programs that deal with non viral malware. ... Also in addition to the resident AV scanner you could install a second AV program to run occasionally on demand, ... For firewall I recommend either Sunbelt Software's Kerio Personal Firewall or Comodo Personal Firewall. ...
      (microsoft.public.windowsxp.general)
    • Agnitum Outpost Security Suite Pro 2008
      ... Outpost Security Suite Pro is a robust Internet security solution that ... future threats ranging from malware to hackers to identity compromise. ... antimalware, a unique Host Protection module, a web and transaction ... technologies that safeguard the integrity of Outpost components ensure ...
      (comp.software.shareware.announce)
    • Quantcast