Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Government Security Your Rights Online

Malware Is a Disease; Let's Treat It Like One 160

jfruhlinger writes "The most common metaphor we have for computer malware — 'virus' — emphasizes that in many ways malicious computer code mimics biological pathogens. And yet, while the U.S. government has rapid response plans in place for an outbreak of a new disease, we're content to let the private sector react to hugely damaging computer infections. Tom Henderson thinks we need the cybersecurity equivalent of the CDC."
This discussion has been archived. No new comments can be posted.

Malware Is a Disease; Let's Treat It Like One

Comments Filter:
  • I am always suspicious when government is the solution. I prefer to keep it in the hands of private companies.
    • I am always suspicious when government is the solution. I prefer to keep it in the hands of private companies.

      Private companies are motivated by profit.

      Agencies are directed by political appointees, but good ones tend to have a culture which focuses on institutional competence. (e.g. the solicitor general's office.) It does not make sense for individual companies to take the same measures that a society does--there are collective action problems. Some of those goals can be assumed by an agency working for government.

      • by Attila Dimedici ( 1036002 ) on Friday July 22, 2011 @01:27PM (#36849168)

        Agencies are directed by political appointees,...

        Who are motivated by political power. Why is an organization that is motivated by political power less suspect than an organization that is motivated by profit?
        At least with a private company, if I don't like how they treat me, I can do business with someone else (or no one).

        • Because we vote for the people that run the government.

          • Re: (Score:2, Insightful)

            by Anonymous Coward

            Because we vote for the people that run the government.

            Indeed - and when the options are douche and turd the sky is the limit to how fucked you can be.

          • So, you trust people who you are required to interact with more than people you interact with on a voluntary basis because you get to choose who is in charge of the first group?
        • by Gerzel ( 240421 )

          Why is an agency motivated by profit less suspect than one motivated by political power?

          • Where did I say it was? However, an organization that I can voluntarily choose to work with or not( a private organization) is to be trusted over one which I must work with, whether I wish or not (a government agency).
            • by Gerzel ( 240421 )

              Right voluntarily choose.

              Just like the power company, phone, Walmart.

              As Corps get more power they remove the choices you have.

              • I don't know about where you live, but around here no one forces you to do business with Walmart. You could shop at Target, or any one of a number of smaller stores depending on what you want. As for the power company, no one forces me to have electricity, I can choose to do without. And the only reason I only have one choice of who to get my electricity from is because the government won't let anyone else deliver it to me. Finally, I don't have to have phone service, but if I want it I have the choice of w
                • "As for the power company, no one forces me to have electricity, I can choose to do without."

                  Spoken like a true libertarian ideologue with no willingness to concede to reality.

                  There are numerous things that cannot be effectively delivered by corps because they become de-facto monopolies. Electricity is a pretty good example. Roads and trains are a far better one - where we simply don't have the space to waste letting multiple companies build roads/tracks to each location. So we have to either grant a monop

                  • Interpreting opposition to further expanding government regulation as being because one thinks "government is bad" is the sort of sloppy thinking that has gotten the U.S. into the problem it is in today. You apparently are one of those people who thinks that the solutions to problems created by government regulation is more government regulation. I am sure you are a fan of the Dodd-Frank law which says that the solution to the problems resulting from "too big to fail" banks is to make them bigger and force
          • If the agency has to do it "right" in order to get paid, that is incentive to do it right. Again and again, more and more efficiently.

            The problem with the public sector is that it is incredibly hard to get fired and in order to get paid, you pretty much just have to show up.

            The motivation to do a good job in the public sector just because it is the honorable "serve the people" thing to do is long past. Now, workin' fer da guv'mint is a ticket to coast until retirement.

            The above, of course, doesn't necess
            • by Gerzel ( 240421 )

              Except private companies don't have to do it "right". They just have to do it good enough to get paid, which is much less, and will do no more than that. If doing it good enough means destroying the environment, or someone's health and well-fare so be it.

      • by 0123456 ( 636235 )

        Private companies are motivated by profit.

        And governments are motivated by power.

        I know which I prefer.

        • by ZamesC ( 611197 )

          Private companies are motivated by profit.

          And governments are motivated by power.

          I know which I prefer.

          ahem... Profit is the CAUSE of most malware....

      • Re: (Score:3, Informative)

        by kwiqsilver ( 585008 )

        I am always suspicious when government is the solution. I prefer to keep it in the hands of private companies.

        Private companies are motivated by profit.

        Agencies are directed by political appointees, but good ones tend to have a culture which focuses on institutional competence. (e.g. the solicitor general's office.) It does not make sense for individual companies to take the same measures that a society does--there are collective action problems. Some of those goals can be assumed by an agency working for government.

        Private companies that want to continue to make a profit will make sure they get the job done. Political appointees, on the other hand, will keep their jobs if they fail, and most likely turn the failure into an increased budget, so next time they can fail on a more spectacular level.

        • And yet a number of corporations in recent years ran themselves into the ground through incompetence and greed.

          • Incompetence, yes. Greed, no. If they had been greedy and competent, they'd still be in business.

            You're countering my point, by using the same point. Those companies that ran themselves into the ground, are no longer around to provide bad services. If those companies were government agencies, they'd be getting a bigger budget to "fix" their failures.

        • Private companies that want to continue to make a profit will make sure they get the job done.

          <sarcasm>Oh, is that what happened on Wall Street and in Detroit?! I get it now!</sarcasm>

          • Sadly in the US, where free markets have given way to corporate socialism, i.e. fascism, getting the job done, has more to do with making friends in D.C., than with providing a good product or service at a good price. But giving government agencies more power is not the way to fix a problem caused by government agencies having too much power.
        • Private companies that want to continue to make a profit will make sure they get the job done. Political appointees, on the other hand, will keep their jobs if they fail, and most likely turn the failure into an increased budget, so next time they can fail on a more spectacular level.

          Anti-virus companies have a very strong built-in incentive to never actually put an end to malware, because that would put them out of business.

          Politicians have a built-in incentive to permanently eradicate malware, because the

          • by Lanteran ( 1883836 ) on Friday July 22, 2011 @03:59PM (#36851568) Homepage Journal
            But politicians backed by the MAFIAA would institute trusted computing and a locked up internet in the name of eradicating malware. People only have to think malware is eradicated at no cost for them to be reelected.
      • Take your example of the solicitor general. They are supposed to argue the position of the United States Government in the Supreme Court.

        The official position of the United States Government, by the passing by the House and Senate and signing by the President, is the Defense of Marriage Act. It is the law of the land regardless of its (IMHO) stupidity.

        However, due to political considerations, the "institutional competence" of the United States Solicitor General will not be used to defend the position of the

    • But not in providing the "solution".

      Rather, the government should update their requirements for "anti-virus" software to include:

      1. A bootable CD/DVD that runs the anti-virus app in order to bypass the problems of the "virus" interfering with the clean-up.

      2. Hashes (multiple hashes) of the KNOWN system files and their default locations and sizes.

      3. As with 2 above, but also including as many applications as possible.

      4. Of course the hashes would have to be easily updated after booting the CD/DVD. From a web

    • Ronald Reagan (peace be upon him) said: "Big Government IS the problem." And you bought it. And you've been buying it ever since.
      I'm not buying it. I didn't buy a lot of shit Reagan sold: Borax, Chesterfield cigarettes, supply-side economics. But Reagan sure knew how to shine those turds.
      Much can be done to solve this particular problem in the private sector, to be sure, and I don't necessarily disagree that legislation may be unnecessary. But I marvel at how quick the anti-government knee-jerk reflex kick

    • by JordanL ( 886154 )
      While companies are subject to the force majeure of government, both Government and Corportations suffer from an inability to be held accountable for incompetence and negligence. Until one or the other is fixed in that sense, we're fucked either way.
    • by Gerzel ( 240421 )

      You know it is healthy to be suspicious of anything being the solution. Private or public.

      I find a mix is the best way to go often enough.

  • If you get good people staffing it, not a bad idea. It could focus on a lot of the massive but individually low-level threats, rather than some of the high-level stuff that the FBI does.

  • So why don't we just arrest and throw everyone in jail that catches a computer virus!
  • by TubeSteak ( 669689 ) on Friday July 22, 2011 @01:25PM (#36849136) Journal

    A lot of the rapid response plans the CDC has on the books call for things like quarantine and mass vaccinations.
    The odds that grandma and grandpa have had their yearly flu shot are much higher than the odds that they're running a patched version of Windows.
    And despite numerous proposals to cut off infected machines (aka quarantine) I've yet to see the idea implemented on a large scale anywhere other than college/university campuses.

    • by guruevi ( 827432 )

      And have those plans ever been exercised? There was a huge scare with the anthrax a couple of years ago which kinda fizzled as the perpetrator(s) didn't have the means or need to distribute or the Asian/Mexican bird/swine flu on larger scales showed that there is simply no ACTUAL response to those type of attacks that is either viable or affordable.

      The CDC, FDA etc. response plans to protect anyone but the president and a handful of rich people are a running joke and waiting on a government agency to respon

  • by Qzukk ( 229616 ) on Friday July 22, 2011 @01:26PM (#36849150) Journal

    I'm guessing Tom doesn't mean Cult of the Dead Cow.

    • by Aladrin ( 926209 )

      God, I really want a burger now.

    • Don't we already have one?

      The nerdily-named Computer Emergency Response Team
      http://www.cert.org/ [cert.org]

      Why do I imagine post-doc geeks wearing black sitting around in a darkened room in a "situation room" with huge screens looking at live monitoring logs?

      And also asking each other, "Doctor, do you concur? [google.com]"

      • CERT is an advisory; it catches about 20%. We need hardened stuff, then something that rats out vendors when they don't fix stuff. Actual process needs to be done, not "we'll get around to it when we feel like it." Then REAL statistics, not BS citations that are difficult to compare. Then we spank with our spending habits. Find the culprits. Jail them.

  • by Anonymous Coward

    If the malware purveyors have broken the law, let the government prosecute them as needed.

    Otherwise a plan like this involves more bureaucracy, money, privacy invasions, red tape, and inefficiencies. Worse, you're proposing an agency whose work will necessarily cross borders adding to the complexity. Make it more lucrative for private industries to report infections to law enforcement, remove the stigma of having been "infected", and easier to prosecute or recover damages.

    • Any malware writer of significence is going to be working out of somewhere like Russia, where it would be a very complicated, slow and expensive process for the US to do anythign.
    • Not to mention, CDC budget for 2012: $11,255,301,000. Imagine the budget required for something like this? There's a lot of areas to spend on, this is not one of them.

    • by ZamesC ( 611197 )

      If the malware purveyors have broken the law, let the government prosecute them as needed.

      That's much like say, "we don't need firefighters; we'll just put the arsonists in jail"

  • Oh, yes... (Score:2, Informative)

    This is just what our broke-ass, can't-find-it's-dick-with-it's-own-hands, defective government needs, another resource drain and another nanny role in which they clearly have no business.

    • This is just what our broke-ass, can't-find-it's-dick-with-it's-own-hands, defective government needs, another resource drain and another nanny role in which they clearly have no business.

      You can attack this issue from a potential civil liberties point of view in that by giving someone a gun guarantees someone will abuse it by silencing their opposition.

      You can attack this from a Capitalistic perspective by stating that it's not the government's job to force people into buying anti-virus software or keeping laptops updated so any likely solution will artificially punish users for not buying Microsoft/Apple's latest OS device.

      You can also attack this from a potential security perspective that

      • No, I'm attacking it because we can't afford it. At least not a government-sponsored solution. Let the cheating lying companies that created the mess be responsible for cleaning it up. I mean our gov is talking about taking away the money it's citizens have let it hold in escrow for all their lives. If this is how broke we are as a country, WTF??

        My other point of attack is that our wonderful, dysfunctional government can't seem to pass any legislation that doesn't either back big business or the DoD, at

    • by Wildclaw ( 15718 )

      This is just what our broke-ass, can't-find-it's-dick-with-it's-own-hands, defective government

      Your government is broke? I thought it just had a lot of debt nominated in US dollars. And that is kind of like not having any real debt at all, as the US government has the ability to create US dollars at will.

      If your government looks broke, it is purely a political problem and not an economical one.

      Or are you talking about Greece that were stupid enough to use a fiat currency it didn't own. Or something like Iceland that guaranteed a huge amount of debt in a currency it didn't own. Or some kind of country

  • no, there's plenty of government money dumped to it in almost every country. is it doing any good? not much, the main thing what it becomes is that some guys who get dumped lots of money just go around making the same lectures every now and then, with powerpoint slides saying "unix is a security protocol" and shit like that. and the damages can't be measured as it's just human placed value on it, making the data losses and breaches in actual money(or hardware) hard to measure.

    "Yes, there’ll be some th

    • by gl4ss ( 559668 )

      replying to myself because i'm an ass. . "Former vice chair of PBS affiliate WFYI of Indianapolis.", wonder if he hates nyan nyan..

  • Please update to the latest version of Microsoft (tm) Windows (tm) 7 (R) Professional (tm) or Microsoft (tm) Windows (tm) 7 (R) Home to reconnect to the internet.

    • How much of a problem would malware be if everyone ran something other than Windows? Sure, malware for the other OS exists, but I haven't seen an infection of them since the late 1980s. Windows, all the time, my employer (except the two of us not running windows) is brought down at least twice a year because of infection in one PC that propogates to the others.
      • I think even if MS would release patches as problems were discovered rather than waiting until Black Tuesday things would be a lot better. Unfortunately MS and the AV folks have managed to convince people that a third party is responsible for security vulns in MSFT's software. There is something to be said for the predictive tricks AV can do but it basically becomes a way to sustain delaying patches while the virus frolics so that the corp update folks have weeks to test everything.

        But more generally I'm wo

      • Part of the reason is that Windows is just so popular, it's heavily targeted. It's susceptability to every form of malware known to mankind isn't entirely due to poor security... though that is a factor too. Microsoft has historically been willing to trade security for useability - that's why just about anyone can use windows at least semi-competantly.
        • With the explosion of non-microsoft-os running mobile devices, we'll soon see if the "popularity" argument can trump the assumed higher security of alternate OS. Hope we don't all get embarrassed
          • There is an aditional factor: distribution. On iOS devices you can pretty much only get executable code from one source: the app store. On android it's a bit easier, but potential victims still have to enable sideloading.

      • by Anonymous Coward

        Speaking with a few malware researchers I know, there is NOTHING INHERENTLY more secure about Linux and Windows, other than they are under 10% market share and don't get attacked directly very often.

        If any of them were suddenly 90% market share, they, likewise, be attacked, guarantee it.

        Now, some of the decisions made back in the Windows 98 era regarding networking services may have been dumb as rocks, which may have caused a few of the issues, but since 2004-ish those mistakes have been largely corrected.

        • Are those malware researchers developers? Reading the developer's forums, It seems the Linux and BSD crowd do try to pay a little more attention to the mistakes and poor programming memes that enable malware spread (true, they sometimes fail), and moreover are usually quickly to respond to dangerous bugs (again, not always)
          • by Zerth ( 26112 )

            Nothing stops an idiot home user from giving out the root password to any program that asks for it.

    • The thing about the CDC is that it is possible to immunize and/or treat basically anyone. Financial and logistical concerns may make doing so impractical, but where treatments exist, they tend to work to varying degrees in just about anybody.

      Malware isn't like this. Older software tends to lapse out of support. That's not an insurmountable problem in the OSS community, where the source code to the OS is available so that someone other than the maintainer could write a patch. But with closed and obsolete ope

  • by Shatrat ( 855151 ) on Friday July 22, 2011 @01:28PM (#36849180)
    If a disease outbreak ravages the country and kills the young, the old, the weak, that would be a huge tragedy.
    If a virus ravages the country and kills off Windows XP, Adobe Flash, and IIS, then the strong will have survived and the software world will be a better place.
    • nah, those infected PCs running the billy bloatware tend to clog up the inter-tubes of webdom for those of us running the better stuff
    • by tlhIngan ( 30335 )

      If a virus ravages the country and kills off Windows XP, Adobe Flash, and IIS, then the strong will have survived and the software world will be a better place.

      Malware, like real biological diseases, have evolved to where killing the host is a Bad Idea(tm) when it comes to spreading around. It's far better to keep the host alive and churning out copies of infection than to kill the host.

      The end result is that all the "better software users" will have to suffer through the crap caused by all the diseased hos

      • by dzfoo ( 772245 )

        What are you talking about? When did an old IIS/SQL Server vulnerability "took the internet down *hard*"?

        Those hosts being DoS'ed went down, sure, and then they were patched and came back up. Who died? What was the threat to humanity's future?

        When an outbreak of a disease occurs, people die. We create the CDC and other organizations, protocols, and methods in order to protect ourselves and secure our future. We do it because human death is a tragedy, not necessarily because it is inconvenient to be sic

        • by dzfoo ( 772245 )

          By the way, that doesn't even consider that back "ages ago," IIS and SQL Server were hardly de rigueur in the Internet.

  • This agency would have to have international power and able to act swiftly. It would be nice to see some high profile punishment for hackers on the payroll of organized crime in countries that are weak on enforcement. Maybe we should take a Vegas casino stance on these guys like they do with their cheaters. Have fun with your "1337" hacking skills after someone breaks all your fingers with a hammer.

  • Look at how well they handle airport security, natural disasters, delivering packages, stopping drug smugglers, determining if Iraq has nuclear research, planning a budget, improving the economy, and virtually every other task they've ever attempted.

    The only thing government does well is apply force, because that's all government is.

    I'd much rather have a company, whose profits are on the line (assuming the feds don't decide to bail them out), staffed by people, whose salaries are on the line, dealing wit

    • I'd much rather have a company, whose profits are on the line (assuming the feds don't decide to bail them out), staffed by people, whose salaries are on the line, dealing with an issue than a bureaucrat who will use failure as an excuse to ask for a bigger budget. In private industry, failure is punished. In government, it's rewarded.

      We have a company whose profits are on the line, staffed by people, whose salaries are on the line "dealing" with issues.

      It's called Microsoft.

    • Re:Brilliant! (Score:4, Insightful)

      by Bob the Super Hamste ( 1152367 ) on Friday July 22, 2011 @01:59PM (#36849730) Homepage
      Hey the stuff I get through the USPS in general is in better shape than the stuff I get through UPS or FedEx. I have gotten a number of packages through UPS and FedEx that looked like they have been backed over by the truck, or had foot prints on them thankfully most companies who ship stuff pack them accordingly so I haven't gotten prebroken stuff. Now you can trot out that the USPS looses money, but they have to go and get approval from our congress critters to raise their rates, must deliver service to all locations on all weekdays and Saturday which is something that UPS and FedEx don't have to do. There are things government should do and does well, the problem is when it gets into things it shouldn't (saving car companies) or when they try to privatize things they shouldn't (security contractors).
      • by Tom ( 822 )

        For a while now I've come to the conclusion that the government should provide all essential services (water, electricity, Internet, postal service, mass-transit, etc.) via non-profit companies whose purpose it is to provide an acceptable quality at an acceptable price. At the same time, there is no state monopoly and anyone who feels he can do better is free to try.

        The private sector always claims it is more efficient than state-run companies. That's what brought us the whole desaster of privatisation. Wel

    • Re:Brilliant! (Score:5, Insightful)

      by dkleinsc ( 563838 ) on Friday July 22, 2011 @02:20PM (#36850076) Homepage

      All right, all right ... Apart from the sanitation, medicine, education, wine, public order, irrigation, roads, the fresh water system and public health, what has the government ever done for us?

      • by Loopy ( 41728 )

        All right, all right ... Apart from the sanitation, medicine, education, wine, public order, irrigation, roads, the fresh water system and public health, what has the government ever done for us?

        Sanitation: usually run by private companies (Allied Waste, etc.) at no tax cost an less cost per month than Netflix.

        Medicine: FDA/etc. only serve to make sure nothing breaks too badly. They have helped prevent abuses at times but are also guilty of preventing life-saving treatments for questionable reasons.

        Wine: Re

      • Sanitation: Like the government garbage strikes in NYC, where trash piled up for weeks? A private company would get the trash picked up (unless prevented from doing so by "labor laws").

        Medicine: Government has run up the costs, and slowed the pace of innovation. When rich Canadians need surgery they leave their socialized system for the semi-socialized US system.

        Education: Like in Atlanta, where the government schools cheat to get money? The more control government has gained over education, the worse it

  • Sure, right now, malware is used to spew spam, steal credit card data etc... but one has to recognize that it is very resilient against all efforts to eradicate it. Fast forward a few years or in other regions, where Government wants to assume total control of the 'Net. Wouldn't malware be the only piece of distributed p2p software being able to resist total censorship? Let's not dismiss malware just because it is being used for nefarious purposes now: it could come very handy in the not too soon dystopian
  • Cyber Defence Council!
  • When you're too stupid to properly name the problem you're trying to address then just BOAKYAG. I doubt there has been any threat from a virus in a decade; today's threats are trojans and worms.

  • In order to server you better the Government Department of Internet Security has installed Friendly Protector 1.0
    Friendly Protector has determined you have 182 instances of unlicensed MP3's and movies please report to the nearest courthouse to pay your fine
    Fine is 458,000 made payable to the MPAA/RIAA and current politicians election campaign
    Friendly Protector has determined that you have 3 instance of adware, 1 instance has been approved and is now protected from removal on your system
    Please download
  • I actually think that there's something going here. Pretty much all of us here, personally, would not benefit from government intervention - this is true. If you're here on /. reading the comments, I'll bet damn near all of us who have GOTTEN a virus, either did it on purpose or took a calculated risk expecting one. Most people who pick up malware are, to put it bluntly, idiots when it comes to computers.

    And the bad part IMO comes from when they get themselves turned into zombies - I wouldn't mind seeing th

  • by SCHecklerX ( 229973 ) <greg@gksnetworks.com> on Friday July 22, 2011 @01:45PM (#36849510) Homepage

    So, for diseases, we focus on prevention.

    Oh, right, we'd rather take a magic pill (antivirus software) than do the right things to keep it from happening in the first place. Exercise and proper diet? No way! It's not my fault I'm fat!

  • http://www.us-cert.gov/ [us-cert.gov]

    From the US-CERT "About Us" page:

    US-CERT's mission is to improve the nation's cybersecurity posture, coordinate cyber information sharing and proactively manage cyber risks to the nation while protecting the constitutional rights of Americans. US-CERT vision is to be a trusted global leader in cybersecurity - collaborative, agile, and responsive in a complex environment.

    Information is available from the US-CERT web site, mailing lists, and RSS channels.

    US-CERT also provides a way for citizens, businesses, and other institutions to communicate and coordinate directly with the United States government about cyber security.

    Who runs US-CERT?
    US-CERT is the operational arm of the National Cyber Security Division (NCSD) at the Department of Homeland Security (DHS).

    Where is US-CERT located?
    US-CERT is located in the Washington DC Metropolitan area.

    What is US-CERT's relationship to NCSD and DHS?
    US-CERT is the operational arm of the National Cyber Security Division (NCSD) at the Department of Homeland Security (DHS). The NCSD was established by DHS to serve as the federal government's cornerstone for cyber security coordination and preparedness, including implementation of the National Strategy to Secure Cyberspace .

  • Singlehandedly, I'm most of the way there. I'm not saying it to toot my own horn, but as a statement of fact. I've already got 7 (technically 8) databases implemented and currently in the process of creating three more. I don't really consider offensive.dat in the database list because it's designed for parental control scanning. http://www.tot-ltd.org/installation.db [tot-ltd.org] http://www.tot-ltd.org/blacklist/0-F [tot-ltd.org] http://www.tot-ltd.org/whitelist/0-F [tot-ltd.org] http://www.tot-ltd.org/API/ [tot-ltd.org] http://www.tot-ltd.org/ports/ [tot-ltd.org] http: [tot-ltd.org]
  • If your computer or your network is doing harm or attempt to harm a 3rd party it's just as though you punched them in the face.

    I would be all for it if we could have these drones identified and kicked off the internet until they are proven decontaminated. This could be all handled at the ISP level. Maybe even just an "outbound filter" being put on these connections restricting their access down to HTTP port 80 and 443 traffic. With online web account the typical person uses gmail, yahoo mail, hotmail, fa

  • ... biological warfare. Malware didn't evolve naturally, it was engineered.
    • Agreed. The analogy with real viruses breaks down when there is any sort of command and control involved in the malware. Also, a real virus will never pass up an opportunity to spread the moment it mutates, while a malware author might save their best new trick for a really special target. On the other hand, this might be a good opportunity to model a few aspects of how a hypothetical bioengineering arms race might play out.
  • Become truly awful due to some element of human stupidity or laziness. People dump their poo on the sidewalks, businesses continuing to use IE6 instead of porting apps to standards,etc

  • THE CDC exists because the consequence of not stopping an outbreak is a massive decline in the human population, such as during the plague in Europe. Malware infects computers because most IT departments are under staffed with no security budget, or sufficient knowledge.

    Also, lets define what a break in is, a DDOS attack launched by anonymous IS NOT a break in, it's just merely exactly what it states and thats no service. So DDOSing a place like lockheed doesn't get you anything besides an arrest warrant.

  • This is the stupidest thing I have ever seen posted to Slashdot.
  • Give me a break. A cybersecurity version of CDC? Beyond the billions of taxpayer waste funding that abomination, care to explain how in the hell even the most ignorant dumb-ass moron user can't understand the simple instruction of "turn it off"?

    Malware is localized and contained within a hard drive, and instructions are just that simple to contain it. Turn the damn thing off, or disable all network interfaces. I don't need a multi-billion dollar agency telling me something the evening news could do just

  • Security DESPERATELY needs meaningful metrics. Infection rates would be a good start.

    I did some thinking on this a year ago: https://it.wiki.usu.edu/SecurityPerformanceMetric [usu.edu]

    Comprehensive IT Epidemiology could provide us with meaningful ways to compare various approaches to security.

    The problem is, nobody wants to share. It's too embarrassing.

    Maybe if I start?

    I do IT security for USU. From March 2009 to March 2010 some of our Infection rates were:

            * Conficker: 15/12677 = .00118 or about 12/10K per year. 1/10K per month.
            * Torpig: 20/12677 = .00158 or about 16/10K per year. 1.3/10K per month.
            * Mebroot: 5/12677 = .00039 or about 4/10K per year. .33/10K per month.

    Now, if only I could get stats from other institutions, and compare their security measures.

    It would be heavenly to be able to perform meaningful evaluations on the effectiveness of our various security measures.

    Miles

  • The way we treat disease is by ignoring cures, developing expensive treatments, and enslaving the patients to life-long pill taking to keep the disease in check while they are milked of their hard earned money.... Even anti-virus software makers are that evil...

  • Cells get infected when rogue genetic material gets past their defenses. A single infected cell can eventually lead to massive side effects.

    The same thing is true when rogue programs get past firewalls, antivirus, etc.. A single computer can result in network wide side effects. Thus far the analogy holds, and is a helpful tool.

    Unlike the situation with our cells, we can redesign the way our operating systems work, so that they don't trust programs. This shift would then allow the user (or administrator) to

  • ... I'm the cure. This is where the law stops and I start, sucker.

    (Cue automatic weapons fire and explosions).

There's no sense in being precise when you don't even know what you're talking about. -- John von Neumann

Working...