Malware Is a Disease; Let's Treat It Like One 160
jfruhlinger writes "The most common metaphor we have for computer malware — 'virus' — emphasizes that in many ways malicious computer code mimics biological pathogens. And yet, while the U.S. government has rapid response plans in place for an outbreak of a new disease, we're content to let the private sector react to hugely damaging computer infections. Tom Henderson thinks we need the cybersecurity equivalent of the CDC."
Woohoo, more government!!! Yeah. (Score:1)
Re: (Score:1)
I am always suspicious when government is the solution. I prefer to keep it in the hands of private companies.
Private companies are motivated by profit.
Agencies are directed by political appointees, but good ones tend to have a culture which focuses on institutional competence. (e.g. the solicitor general's office.) It does not make sense for individual companies to take the same measures that a society does--there are collective action problems. Some of those goals can be assumed by an agency working for government.
Re:Woohoo, more government!!! Yeah. (Score:5, Insightful)
Agencies are directed by political appointees,...
Who are motivated by political power. Why is an organization that is motivated by political power less suspect than an organization that is motivated by profit?
At least with a private company, if I don't like how they treat me, I can do business with someone else (or no one).
Re: (Score:2)
Because we vote for the people that run the government.
Re: (Score:2, Insightful)
Because we vote for the people that run the government.
Indeed - and when the options are douche and turd the sky is the limit to how fucked you can be.
Re: (Score:2)
Re: (Score:2)
Why is an agency motivated by profit less suspect than one motivated by political power?
Re: (Score:3)
Re: (Score:2)
Right voluntarily choose.
Just like the power company, phone, Walmart.
As Corps get more power they remove the choices you have.
Re: (Score:2)
Re: (Score:2)
"As for the power company, no one forces me to have electricity, I can choose to do without."
Spoken like a true libertarian ideologue with no willingness to concede to reality.
There are numerous things that cannot be effectively delivered by corps because they become de-facto monopolies. Electricity is a pretty good example. Roads and trains are a far better one - where we simply don't have the space to waste letting multiple companies build roads/tracks to each location. So we have to either grant a monop
Re: (Score:2)
Re: (Score:2)
The problem with the public sector is that it is incredibly hard to get fired and in order to get paid, you pretty much just have to show up.
The motivation to do a good job in the public sector just because it is the honorable "serve the people" thing to do is long past. Now, workin' fer da guv'mint is a ticket to coast until retirement.
The above, of course, doesn't necess
Re: (Score:2)
Except private companies don't have to do it "right". They just have to do it good enough to get paid, which is much less, and will do no more than that. If doing it good enough means destroying the environment, or someone's health and well-fare so be it.
Re: (Score:2)
Private companies are motivated by profit.
And governments are motivated by power.
I know which I prefer.
Re: (Score:1)
Private companies are motivated by profit.
And governments are motivated by power.
I know which I prefer.
ahem... Profit is the CAUSE of most malware....
Re: (Score:3, Informative)
I am always suspicious when government is the solution. I prefer to keep it in the hands of private companies.
Private companies are motivated by profit.
Agencies are directed by political appointees, but good ones tend to have a culture which focuses on institutional competence. (e.g. the solicitor general's office.) It does not make sense for individual companies to take the same measures that a society does--there are collective action problems. Some of those goals can be assumed by an agency working for government.
Private companies that want to continue to make a profit will make sure they get the job done. Political appointees, on the other hand, will keep their jobs if they fail, and most likely turn the failure into an increased budget, so next time they can fail on a more spectacular level.
Re: (Score:2)
And yet a number of corporations in recent years ran themselves into the ground through incompetence and greed.
Re: (Score:2)
Incompetence, yes. Greed, no. If they had been greedy and competent, they'd still be in business.
You're countering my point, by using the same point. Those companies that ran themselves into the ground, are no longer around to provide bad services. If those companies were government agencies, they'd be getting a bigger budget to "fix" their failures.
Re: (Score:2)
<sarcasm>Oh, is that what happened on Wall Street and in Detroit?! I get it now!</sarcasm>
Re: (Score:2)
Wait, isn't that the exact opposite of reality? (Score:2)
Anti-virus companies have a very strong built-in incentive to never actually put an end to malware, because that would put them out of business.
Politicians have a built-in incentive to permanently eradicate malware, because the
Re:Wait, isn't that the exact opposite of reality? (Score:4, Insightful)
Re: (Score:2)
Usually, competence is subject to political will (Score:2)
Take your example of the solicitor general. They are supposed to argue the position of the United States Government in the Supreme Court.
The official position of the United States Government, by the passing by the House and Senate and signing by the President, is the Defense of Marriage Act. It is the law of the land regardless of its (IMHO) stupidity.
However, due to political considerations, the "institutional competence" of the United States Solicitor General will not be used to defend the position of the
The moral of the story is (Score:2)
A politician can render a competent worker incompetent by telling him not to apply that competency.
No matter how capable you are, you can't do your job if you're told not to.
Very good at sitting on the sidelines (Score:2)
While they are ordered NOT to do their duty and defend the position of the United States Government.
In general though, I would hope they are among the least competent people in government. These are the people who defend laws that are very often unconstitutional. They were the ones defending the the various civil rights abuses caused by the war on drugs.
Re: (Score:2)
Margaret Hamburg [time.com]?
Physician, public health administrator, seems decently qualified. What exactly is your issue with her?
In this case, government is useful. (Score:1)
But not in providing the "solution".
Rather, the government should update their requirements for "anti-virus" software to include:
1. A bootable CD/DVD that runs the anti-virus app in order to bypass the problems of the "virus" interfering with the clean-up.
2. Hashes (multiple hashes) of the KNOWN system files and their default locations and sizes.
3. As with 2 above, but also including as many applications as possible.
4. Of course the hashes would have to be easily updated after booting the CD/DVD. From a web
Reagan sure put a long lasting shine on that turd. (Score:1)
Ronald Reagan (peace be upon him) said: "Big Government IS the problem." And you bought it. And you've been buying it ever since.
I'm not buying it. I didn't buy a lot of shit Reagan sold: Borax, Chesterfield cigarettes, supply-side economics. But Reagan sure knew how to shine those turds.
Much can be done to solve this particular problem in the private sector, to be sure, and I don't necessarily disagree that legislation may be unnecessary. But I marvel at how quick the anti-government knee-jerk reflex kick
Freedom (Score:2)
AC, Please look up "straw man fallacy".
Do you really think it's the government that's the only threat to your liberty. Do you suppose that corporations are interested in preserving your freedoms? If we can't check corporate power through government, how shall we do so?
Re: (Score:2)
Re: (Score:2)
You know it is healthy to be suspicious of anything being the solution. Private or public.
I find a mix is the best way to go often enough.
Re: (Score:2)
Right, and I'll bet you're a virgin too...
I'm pretty sure that's not how you get computer viruses.
Not a bad idea. (Score:2)
If you get good people staffing it, not a bad idea. It could focus on a lot of the massive but individually low-level threats, rather than some of the high-level stuff that the FBI does.
Drug addiction is a disease too.. (Score:2)
Re: (Score:2)
Slight rant: I know that drug addiction is considered a "disease" as in alcoholism, but I personally think that is the same kind of labeling that makes people feel better about bad decisions they've made. I know there are addictive properties but it's unrealistic to expect that anyone, prior to drinking or doing drugs, hasn't heard all about it - and even if they have, there are a ton of programs to help fix the problem.
I heard about alcoholism before I had my first beer, but that didn't stop me (or ANYONE else I'm aware of) from trying it. I, like most, didn't turn out to be an alcoholic. However, some are not so lucky. Drugs, like alcohol, have different effects on different people. The problem I have with turning those unfortunate folks into criminals is that if they do become addicted, they are no longer in full control of making these decisions - the drugs/alcohol are making the decisions for them. If you've ever had
lolwut (Score:3)
A lot of the rapid response plans the CDC has on the books call for things like quarantine and mass vaccinations.
The odds that grandma and grandpa have had their yearly flu shot are much higher than the odds that they're running a patched version of Windows.
And despite numerous proposals to cut off infected machines (aka quarantine) I've yet to see the idea implemented on a large scale anywhere other than college/university campuses.
Re: (Score:2)
And have those plans ever been exercised? There was a huge scare with the anthrax a couple of years ago which kinda fizzled as the perpetrator(s) didn't have the means or need to distribute or the Asian/Mexican bird/swine flu on larger scales showed that there is simply no ACTUAL response to those type of attacks that is either viable or affordable.
The CDC, FDA etc. response plans to protect anyone but the president and a handful of rich people are a running joke and waiting on a government agency to respon
We already have a cyber CDC (Score:3)
I'm guessing Tom doesn't mean Cult of the Dead Cow.
Re: (Score:2)
God, I really want a burger now.
Re: (Score:2)
Don't we already have one?
The nerdily-named Computer Emergency Response Team
http://www.cert.org/ [cert.org]
Why do I imagine post-doc geeks wearing black sitting around in a darkened room in a "situation room" with huge screens looking at live monitoring logs?
And also asking each other, "Doctor, do you concur? [google.com]"
Re: (Score:2)
CERT is an advisory; it catches about 20%. We need hardened stuff, then something that rats out vendors when they don't fix stuff. Actual process needs to be done, not "we'll get around to it when we feel like it." Then REAL statistics, not BS citations that are difficult to compare. Then we spank with our spending habits. Find the culprits. Jail them.
Please, no. Not another Government Agency. (Score:1)
If the malware purveyors have broken the law, let the government prosecute them as needed.
Otherwise a plan like this involves more bureaucracy, money, privacy invasions, red tape, and inefficiencies. Worse, you're proposing an agency whose work will necessarily cross borders adding to the complexity. Make it more lucrative for private industries to report infections to law enforcement, remove the stigma of having been "infected", and easier to prosecute or recover damages.
Re: (Score:2)
Re: (Score:1)
Not to mention, CDC budget for 2012: $11,255,301,000. Imagine the budget required for something like this? There's a lot of areas to spend on, this is not one of them.
Re: (Score:1)
If the malware purveyors have broken the law, let the government prosecute them as needed.
That's much like say, "we don't need firefighters; we'll just put the arsonists in jail"
Oh, yes... (Score:2, Informative)
This is just what our broke-ass, can't-find-it's-dick-with-it's-own-hands, defective government needs, another resource drain and another nanny role in which they clearly have no business.
Re: (Score:3)
This is just what our broke-ass, can't-find-it's-dick-with-it's-own-hands, defective government needs, another resource drain and another nanny role in which they clearly have no business.
You can attack this issue from a potential civil liberties point of view in that by giving someone a gun guarantees someone will abuse it by silencing their opposition.
You can attack this from a Capitalistic perspective by stating that it's not the government's job to force people into buying anti-virus software or keeping laptops updated so any likely solution will artificially punish users for not buying Microsoft/Apple's latest OS device.
You can also attack this from a potential security perspective that
Re: (Score:2)
No, I'm attacking it because we can't afford it. At least not a government-sponsored solution. Let the cheating lying companies that created the mess be responsible for cleaning it up. I mean our gov is talking about taking away the money it's citizens have let it hold in escrow for all their lives. If this is how broke we are as a country, WTF??
My other point of attack is that our wonderful, dysfunctional government can't seem to pass any legislation that doesn't either back big business or the DoD, at
Re: (Score:2)
This is just what our broke-ass, can't-find-it's-dick-with-it's-own-hands, defective government
Your government is broke? I thought it just had a lot of debt nominated in US dollars. And that is kind of like not having any real debt at all, as the US government has the ability to create US dollars at will.
If your government looks broke, it is purely a political problem and not an economical one.
Or are you talking about Greece that were stupid enough to use a fiat currency it didn't own. Or something like Iceland that guaranteed a huge amount of debt in a currency it didn't own. Or some kind of country
no, there's plenty of government money dumped (Score:2)
no, there's plenty of government money dumped to it in almost every country. is it doing any good? not much, the main thing what it becomes is that some guys who get dumped lots of money just go around making the same lectures every now and then, with powerpoint slides saying "unix is a security protocol" and shit like that. and the damages can't be measured as it's just human placed value on it, making the data losses and breaches in actual money(or hardware) hard to measure.
"Yes, there’ll be some th
Re: (Score:1)
replying to myself because i'm an ass. . "Former vice chair of PBS affiliate WFYI of Indianapolis.", wonder if he hates nyan nyan..
Sorry your Operating System is not supported (Score:3)
Please update to the latest version of Microsoft (tm) Windows (tm) 7 (R) Professional (tm) or Microsoft (tm) Windows (tm) 7 (R) Home to reconnect to the internet.
Re: (Score:2)
Re: (Score:2)
I think even if MS would release patches as problems were discovered rather than waiting until Black Tuesday things would be a lot better. Unfortunately MS and the AV folks have managed to convince people that a third party is responsible for security vulns in MSFT's software. There is something to be said for the predictive tricks AV can do but it basically becomes a way to sustain delaying patches while the virus frolics so that the corp update folks have weeks to test everything.
But more generally I'm wo
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
There is an aditional factor: distribution. On iOS devices you can pretty much only get executable code from one source: the app store. On android it's a bit easier, but potential victims still have to enable sideloading.
Re: (Score:1)
Speaking with a few malware researchers I know, there is NOTHING INHERENTLY more secure about Linux and Windows, other than they are under 10% market share and don't get attacked directly very often.
If any of them were suddenly 90% market share, they, likewise, be attacked, guarantee it.
Now, some of the decisions made back in the Windows 98 era regarding networking services may have been dumb as rocks, which may have caused a few of the issues, but since 2004-ish those mistakes have been largely corrected.
Re: (Score:3)
Re: (Score:2)
Nothing stops an idiot home user from giving out the root password to any program that asks for it.
Re: (Score:2)
Ay, there's the rub. (Score:2)
The thing about the CDC is that it is possible to immunize and/or treat basically anyone. Financial and logistical concerns may make doing so impractical, but where treatments exist, they tend to work to varying degrees in just about anybody.
Malware isn't like this. Older software tends to lapse out of support. That's not an insurmountable problem in the OSS community, where the source code to the OS is available so that someone other than the maintainer could write a patch. But with closed and obsolete ope
Humans are more valuable than Computers (Score:5, Interesting)
If a virus ravages the country and kills off Windows XP, Adobe Flash, and IIS, then the strong will have survived and the software world will be a better place.
Re: (Score:2)
Re: (Score:2)
Malware, like real biological diseases, have evolved to where killing the host is a Bad Idea(tm) when it comes to spreading around. It's far better to keep the host alive and churning out copies of infection than to kill the host.
The end result is that all the "better software users" will have to suffer through the crap caused by all the diseased hos
Re: (Score:2)
What are you talking about? When did an old IIS/SQL Server vulnerability "took the internet down *hard*"?
Those hosts being DoS'ed went down, sure, and then they were patched and came back up. Who died? What was the threat to humanity's future?
When an outbreak of a disease occurs, people die. We create the CDC and other organizations, protocols, and methods in order to protect ourselves and secure our future. We do it because human death is a tragedy, not necessarily because it is inconvenient to be sic
Re: (Score:2)
By the way, that doesn't even consider that back "ages ago," IIS and SQL Server were hardly de rigueur in the Internet.
Nice idea but.. (Score:1)
This agency would have to have international power and able to act swiftly. It would be nice to see some high profile punishment for hackers on the payroll of organized crime in countries that are weak on enforcement. Maybe we should take a Vegas casino stance on these guys like they do with their cheaters. Have fun with your "1337" hacking skills after someone breaks all your fingers with a hammer.
Brilliant! (Score:1)
Look at how well they handle airport security, natural disasters, delivering packages, stopping drug smugglers, determining if Iraq has nuclear research, planning a budget, improving the economy, and virtually every other task they've ever attempted.
The only thing government does well is apply force, because that's all government is.
I'd much rather have a company, whose profits are on the line (assuming the feds don't decide to bail them out), staffed by people, whose salaries are on the line, dealing wit
Re: (Score:3)
I'd much rather have a company, whose profits are on the line (assuming the feds don't decide to bail them out), staffed by people, whose salaries are on the line, dealing with an issue than a bureaucrat who will use failure as an excuse to ask for a bigger budget. In private industry, failure is punished. In government, it's rewarded.
We have a company whose profits are on the line, staffed by people, whose salaries are on the line "dealing" with issues.
It's called Microsoft.
Re:Brilliant! (Score:4, Insightful)
Re: (Score:2)
For a while now I've come to the conclusion that the government should provide all essential services (water, electricity, Internet, postal service, mass-transit, etc.) via non-profit companies whose purpose it is to provide an acceptable quality at an acceptable price. At the same time, there is no state monopoly and anyone who feels he can do better is free to try.
The private sector always claims it is more efficient than state-run companies. That's what brought us the whole desaster of privatisation. Wel
Re:Brilliant! (Score:5, Insightful)
All right, all right ... Apart from the sanitation, medicine, education, wine, public order, irrigation, roads, the fresh water system and public health, what has the government ever done for us?
Re: (Score:2)
Sanitation: usually run by private companies (Allied Waste, etc.) at no tax cost an less cost per month than Netflix.
Medicine: FDA/etc. only serve to make sure nothing breaks too badly. They have helped prevent abuses at times but are also guilty of preventing life-saving treatments for questionable reasons.
Wine: Re
Re: (Score:2)
Sanitation: Like the government garbage strikes in NYC, where trash piled up for weeks? A private company would get the trash picked up (unless prevented from doing so by "labor laws").
Medicine: Government has run up the costs, and slowed the pace of innovation. When rich Canadians need surgery they leave their socialized system for the semi-socialized US system.
Education: Like in Atlanta, where the government schools cheat to get money? The more control government has gained over education, the worse it
Malware can be useful too (Score:2, Insightful)
It could also be the CDC (Score:2)
We're doomed (Score:2)
When you're too stupid to properly name the problem you're trying to address then just BOAKYAG. I doubt there has been any threat from a virus in a decade; today's threats are trojans and worms.
Likely Response (Score:2)
Friendly Protector has determined you have 182 instances of unlicensed MP3's and movies please report to the nearest courthouse to pay your fine
Fine is 458,000 made payable to the MPAA/RIAA and current politicians election campaign
Friendly Protector has determined that you have 3 instance of adware, 1 instance has been approved and is now protected from removal on your system
Please download
Force of Government vs Botnets (Score:2)
I actually think that there's something going here. Pretty much all of us here, personally, would not benefit from government intervention - this is true. If you're here on /. reading the comments, I'll bet damn near all of us who have GOTTEN a virus, either did it on purpose or took a calculated risk expecting one. Most people who pick up malware are, to put it bluntly, idiots when it comes to computers.
And the bad part IMO comes from when they get themselves turned into zombies - I wouldn't mind seeing th
Ok. (Score:3)
So, for diseases, we focus on prevention.
Oh, right, we'd rather take a magic pill (antivirus software) than do the right things to keep it from happening in the first place. Exercise and proper diet? No way! It's not my fault I'm fat!
This already exists: US-CERT (Score:5, Informative)
http://www.us-cert.gov/ [us-cert.gov]
From the US-CERT "About Us" page:
US-CERT's mission is to improve the nation's cybersecurity posture, coordinate cyber information sharing and proactively manage cyber risks to the nation while protecting the constitutional rights of Americans. US-CERT vision is to be a trusted global leader in cybersecurity - collaborative, agile, and responsive in a complex environment.
Information is available from the US-CERT web site, mailing lists, and RSS channels.
US-CERT also provides a way for citizens, businesses, and other institutions to communicate and coordinate directly with the United States government about cyber security.
Who runs US-CERT?
US-CERT is the operational arm of the National Cyber Security Division (NCSD) at the Department of Homeland Security (DHS).
Where is US-CERT located?
US-CERT is located in the Washington DC Metropolitan area.
What is US-CERT's relationship to NCSD and DHS?
US-CERT is the operational arm of the National Cyber Security Division (NCSD) at the Department of Homeland Security (DHS). The NCSD was established by DHS to serve as the federal government's cornerstone for cyber security coordination and preparedness, including implementation of the National Strategy to Secure Cyberspace .
... It wouldn't be that difficult to create that. (Score:1)
Doing Harm Should Exclude you from the internet (Score:1)
If your computer or your network is doing harm or attempt to harm a 3rd party it's just as though you punched them in the face.
I would be all for it if we could have these drones identified and kicked off the internet until they are proven decontaminated. This could be all handled at the ISP level. Maybe even just an "outbound filter" being put on these connections restricting their access down to HTTP port 80 and 443 traffic. With online web account the typical person uses gmail, yahoo mail, hotmail, fa
Re: (Score:2)
My thoughts exactly. Apparently with how we got modded I'm guessing slashdotters don't share the same opinion.
I really do think this is the right move. Being on the Internet is a privilege not a right. It's like driving on the autoban. If your machine is crippled, get over in the slow lane and stay there or you will get hurt; if your machine is healthy and strong open up the pipes and let 'er rip. Most people with a droned computer won't know any difference if their being filtered and throttled. Who cares
Sudden Outbreak (Score:2)
Not so much a disease as... (Score:2)
Re: (Score:2)
Most truly awful epidemics (Score:2)
Become truly awful due to some element of human stupidity or laziness. People dump their poo on the sidewalks, businesses continuing to use IE6 instead of porting apps to standards,etc
A person vs a machine (Score:2)
THE CDC exists because the consequence of not stopping an outbreak is a massive decline in the human population, such as during the plague in Europe. Malware infects computers because most IT departments are under staffed with no security budget, or sufficient knowledge.
Also, lets define what a break in is, a DDOS attack launched by anonymous IS NOT a break in, it's just merely exactly what it states and thats no service. So DDOSing a place like lockheed doesn't get you anything besides an arrest warrant.
Without a doubt... (Score:2)
Re: (Score:3)
This is the stupidest thing I have ever seen posted to Slashdot.
You must be new here...
Dumbest idea ever. (Score:2)
Give me a break. A cybersecurity version of CDC? Beyond the billions of taxpayer waste funding that abomination, care to explain how in the hell even the most ignorant dumb-ass moron user can't understand the simple instruction of "turn it off"?
Malware is localized and contained within a hard drive, and instructions are just that simple to contain it. Turn the damn thing off, or disable all network interfaces. I don't need a multi-billion dollar agency telling me something the evening news could do just
Security DESPERATELY needs meaningful metrics. (Score:3)
Security DESPERATELY needs meaningful metrics. Infection rates would be a good start.
I did some thinking on this a year ago: https://it.wiki.usu.edu/SecurityPerformanceMetric [usu.edu]
Comprehensive IT Epidemiology could provide us with meaningful ways to compare various approaches to security.
The problem is, nobody wants to share. It's too embarrassing.
Maybe if I start?
I do IT security for USU. From March 2009 to March 2010 some of our Infection rates were:
* Conficker: 15/12677 = .00118 or about 12/10K per year. 1/10K per month. .00158 or about 16/10K per year. 1.3/10K per month. .00039 or about 4/10K per year. .33/10K per month.
* Torpig: 20/12677 =
* Mebroot: 5/12677 =
Now, if only I could get stats from other institutions, and compare their security measures.
It would be heavenly to be able to perform meaningful evaluations on the effectiveness of our various security measures.
Miles
But... (Score:2)
The way we treat disease is by ignoring cures, developing expensive treatments, and enslaving the patients to life-long pill taking to keep the disease in check while they are milked of their hard earned money.... Even anti-virus software makers are that evil...
Bad analogy leads to bad decisions, film at 11 (Score:2)
Cells get infected when rogue genetic material gets past their defenses. A single infected cell can eventually lead to massive side effects.
The same thing is true when rogue programs get past firewalls, antivirus, etc.. A single computer can result in network wide side effects. Thus far the analogy holds, and is a helpful tool.
Unlike the situation with our cells, we can redesign the way our operating systems work, so that they don't trust programs. This shift would then allow the user (or administrator) to
You're the disease... (Score:2)
... I'm the cure. This is where the law stops and I start, sucker.
(Cue automatic weapons fire and explosions).
Re: (Score:2)
> Step 1: Draft a law that says anyone writing a computer virus or malware
There are already laws punishing unauthorized access to computers. Kevin Mitnick did jail time for NON-destructive unauthorized access.
> Step 2: Get all of the worlds nations to agree with the law and enforce it within their borders.
Bwahahahahahahaha. Just like the US has managed to get Mexico and Colombia and Afghanistan to stop sending drugs to the US? Just like they've stopped piracy off the coast of Africa? And how are y