Microsoft wants to ban 'sick' PC's from net

Discussion in 'other security issues & news' started by Ocky, Oct 6, 2010.

Thread Status:
Not open for further replies.
  1. katio

    katio Guest

    We are all already paying for it, botnets cost billions of dollar losses, guess who pays for that?

    This wouldn't be a heuristics AV. If someone's sending out packages to port 25 at full speed there isn't much room for false positives. The customer is called and he says, "yeah I know, I run a mail server" - case solved. You call the customer and he's like "SMTP what?" you tell them "you are infected, they are probably stealing your data, get help, you have a month, we can send someone at your cost, you can solve it yourself or we have to disconnect you if you ignore this". "Oh, I'm infected? I had no idea! Thank you for notifying me!"

    How would you do that?
     
  2. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    My very wild guess is that this would represent the largest % of users. Somehow I doubt they would be willing to pay to clean an infected and infective O.S, which they already paid for, and for all they know their AV says all is clean.

    Most likely, these customers would start complaining ISPs aren't doing their share to help protect them.

    Many people are using outdated and non-functional security software, without being aware of such, due to contracts between security vendors and computer manufacturers. How about this crap ends for once and for all?

    I don't see Microsoft/anyone else saying a thing about this. Isn't this very problematic?

    I had a relative running trial version of a security product, unaware of such, and the product wasn't running anymore; my relative thought was being protected. Guess what? System heavily infected.
    Who's fault is this? My relative's? No, the guilty are: security vendors and computer manufacturers.

    Still, no one does nothing about it.

    Things aren't black and white, there's a great grey area some seem to refuse to exist.

    -edit-

    Heck, security vendors even promise to protect people for all types of threats, at their websites. This does not happen, now does it? No, it doesn't. Still, lot's people pay for it and still get their systems infected, without even knowing it.

    Why don't security vendors make such an alert on their websites? Right, bad for business!

    How about some laws forbidding security vendors of making such false claims?

    Just like it would be unfair competition to these security vendors if Microsoft bundled an antivirus with their O.S. People are obligated to pay (Those who don't know about free and valid alternatives, and who also see at those very same security vendors they offer suites to protect them against even more threats.) for security, so that others can make money out of this.

    This is all about money. I know, but it still makes me sick[/b].
     
    Last edited: Feb 17, 2011
  3. katio

    katio Guest

    I KNOW of these problems...

    Do you suggest we just keep doing what we've been doing. Let them be infected, don't tell them and everybody is happy?

    A truly great idea!

    I know the proposed idea here comes with many strings attached and maybe it makes things worse than it solves but why can't we discuss that?

    If the ISP can prove that there's a zombie PC on that IP I doubt the "majority" would react by attacking their ISP and threaten them to terminate the contract. People generally are reasonable (and btw you can talk people into a lot of things if they are afraid, ask anyone selling insurance - but that's another topic.)
    Who on earth brought up the mandatory get it fixed by ISP/MS? Most people have a relative or friend who knows a bit more about computers than the average. But yes, there's a big opportunity for ISPs to get into the selling security snake oil business and I agree that's not a goal I'd subscribe to.

    In case this whole concept of "forcing" users into keeping their systems from attacking other systems is still too foreign consider this analogy:
    https://www.wilderssecurity.com/showpost.php?p=1824228&postcount=78

    All good points, but these things don't exclude each other.

    For the record: I'm against the proposed "solution" but I'm also against NOT telling people if they are definitely infected.
    If I see someone hammering my firewall from an edu address, I'm not going to call the cops, or Microsoft or the security "industry". I'm sending a mail to the IT department and friendly tell them to take care of the problem. Now what if the IP is a dynamic Verizon address?
    Home users have no IT department, no public email in the whois and no knowledge how to handle the situation anyway. I'd call the ISP and tell them to somehow fix the problem. Sounds unreasonable?

    Hope not, and sorry for any confusions I might have caused :)
     
    Last edited by a moderator: Feb 17, 2011
  4. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,797
    Sure. But they're invisible to most end-user. Adding this service would add burden, at least in the beginning phase. I'm not interested in talking about it being a long-term investment etc

    Maybe I'm seeing it wrongly...please clear it up for me if I am.

    Quoted from: “Collective Defense: Applying Public Health Models to the Internet.”

    It sure looks nice. On theory. But practical usage?

    Well-known malware? FPs is still quite a problem with most AVs. How would they define which AVs to use to correctly determine malware (a VirusTotal-like service?) What about undetected malware?

    You made it look so simple. Do you really honestly think that things would work out in such a manner? All the time?

    Who knows - businesses can be affected too.

    People couldn't care less whether or not they're affecting the rest - all they care about is they get their job done. Even if they're silently infected. You cut off the net for them, screw up their work schedule etc and try to convince them it's all for the better good. I wish you success.

    Good catch. I'll leave it to the tiger-hunters to do their job.

    Seriously, if I knew how, I wouldn't be on this forum. I'll leave that to those who know better and can come up with better suggestions. But I don't think this is.
     
  5. katio

    katio Guest

    As I understand it they might only want to know if an AV is installed, they wouldn't flag single FPs detected on the machine and disconnect it immediately. I mean, duh. The overhead of FPs would be way to expensive and disruptive for everyone.
    I imaging the system works like an IDS on ISP level. IDS can be more heuristic with tons of FPs or they can be less aggressive in their detection and only kick in if there's something obvious going on. The second part of such a system could be the Windows Malicious Software Removal Tool which already flags infected PCs, reports back to the MS "headquarters" and tries to take care of the situation if it can. In cases it can only determine that something is wrong but can't fix it for technical or legal reasons MS could allert the ISP and tell them the flagged IP + technical details which is then relayed to the owner of the IP.

    There are tons of problems, privacy, antitrust, freedom you name it. But I think a reduced set of measures that only kicks in the most severe and obvious cases could benefit everyone and would therefore be acceptable for everyone.
     
  6. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Sorry, but I never mentioned once to let it be.

    I do applaud any ISP that would get in touch with their clients and let them know about infection problems. But, how would it all be handled? Would all these people have to spend extra money, that they probably cannot afford to spend, to clean their systems or have someone to reformat and reinstall their O.S and applications, if they don't know how to to do it? Now, this is what I dislike in all this, because you can bet these people wouldn't have these problems solved for free, when it wasn't their fault their systems got infected, in the first place - they simply don't know any better, and for all that's worth their AVs report everything clean; some don't even know they're running non-functional security applications, due trial period running out.

    How would this be done? And, those who couldn't pay for it, would they be banned/quarantined from the Internet until they could? What if their work requires an Internet connection? Who's going to pay their bills, etc?

    Or, will these people be offered a clean system and educated on how to keep it clean? I have my doubts on such, somehow. After all, it would be bad for other people's business (security vendors). lol

    Oh, I am. But, I don't have to agree, do I?

    Yes, people are generally reasonable. But, not when is not their fault, and when they already paid for something that reports their systems clean, or when they thought they were being protected already, without knowing they were actually running a non-functional trial version no longer protecting them.

    If I were among these % of people, I would NOT be reasonable to the idea of having to pay extra money I could not afford to pay and being out-casted from the Internet, and all because others fail to make their O.S safer and others promise to protect against all threats and yet miserably fail at it.

    If I'm paying to be secure, then why do I have to pay more if those applications failed to do it? Sorry, but others should be paying the bill, not me.

    Any statistics on that?

    I guess we think the same then. But, it all comes down to how they are going to be told about it.
     
  7. katio

    katio Guest

    Wasn't directed at you personally. I just wanted to point out the other extreme.

    Here's where we disagree. These preinstalled AVs, they are preinstalled for just one reason: getting whoever buys the OEM system to pay the yearly subscription, year after year. The ones I've seen make it pretty clear when the trial phase is up. In fact they nag you so much that there simply is no other word for them than adware and even scareware. Besides, Windows Action Center too tells you that you need an AV and it also tells you when the AV isn't working anymore.
    ISP says: reinstall, clean or whatever you want but if you continue sending DoS attacks across the internet you'll get disconnected.
    It's absolutely the responsibility of the user as in "their fault" if they don't understand the AV and Windows warning and then continue to ignore the ISP warning.
    I'm sure in some jurisdictions customer could get sued if they continue letting someone else use their computer for DoS or hacking purposes after they got notified. Isn't that a definition of an accessory? Complaining how this costs money and they have a deadline doesn't help much then, does it?

    Insecure systems are bad for vendors too. Besides all the losses to internet crime customers don't really trust these "technologies" and that's bad too for everyone doing online business.

    I think this argument doesn't have much weight in the real world. No statistics again but I believe the majority of zombie PCs don't run any kind of security software, aren't patched at all or are connected directly to the internet (which is the fault of the ISP).


    Personal experience. But I can bend that "a bit more than the average" to fit any statistic you present (mathematically more than average is half the people so there you have it :p)
     
  8. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    5,751
    Location:
    DC Metro Area
    "Laws Must Change to Combat Botnets – Kaspersky"

    Experts from Kaspersky say the internet can be cured of botnets, but laws must change first in order to allow access to personal computers from third party companies and law enforcement agencies

    Kaspersky Lab has called for changes to legal systems around the world that would allow law enforcement and antivirus companies forcibly access computers being controlled by a botnet to remove the infection, possibly without the permission of the owner."

    http://www.itp.net/583919-laws-must-change-to-combat-botnets-kaspersky
     
  9. doc77

    doc77 Registered Member

    Joined:
    Jun 10, 2010
    Posts:
    55
    As mentioned, trial security apps, particularly Norton, throw you pop ups until you are blue in the face before expiring. These warnings are probably get as much attention as the health/cancer warning on cigarette boxes, little to none. I disagree its not people's fault who are running a botnet system, quite the opposite in any cases I've seen.
     
  10. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    OK. Maybe if the user ignores the end of trial/subscription, and decides not to buy it/prolong subscription, and does not look for other free alternatives, it's their own fault. I admit that.

    I'll give just this example, then: Microsoft Security Essentials.

    XYZ person installs it. It always reports system has being cleaned. It is not. Who's fault is that? Is it the user's fault only to be aware of the existing of antiviruses/antimalware applications, and these applications report everything OK?

    Is the users fault that Windows, when installed, by default, creates an administrator account?

    Is it the users fault they don't understand UAC (in Vista and 7) and hence turn it off? Which, on its turn will make these administrator accounts being FULL administrator accounts. Not to mention that malware is able to bypass UAC, anyway.

    So, is it the users fault that, in such scenario, IE7/IE8 runs in FULL administrator rights?

    Is it their fault they're unaware of the existence of limited/standard user accounts and their benefits?

    Yes, let's blame the users for that.
     
  11. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    Uh, no. Windows in the old days was left wide open with all kinds of IPC junk and open ports that could not be turned off without some major registry hacking. And these machines were meant to be networked (MS did not distinguish between local networking and the Internet, which was a disaster). Further, the FAT filesystem does not have any notion of file permissions built in, which means there was one superuser who had control over everything (there was no notion of separate user accounts or privilege separation). This changed with NTFS, of course, but it set a bad precedent that MS is still trying to recover from, even on Windows 7.

    It's no more vulnerable than a traditional root account. The root account can also be social engineered. There's no difference.

    This sentence makes no sense, so I can't really respond.

    There are security boundaries, so I am not sure what you mean.

    SSH brute-forcing is not a result of a flaw in the OS or the ssh server, but is a result of poor admins. The user/admin does have some responsibility here.

    On the contrary, those are the big problems, at least on *nix. There is no malware problem on any platform but Windows. Never has been.

    Social engineering will always be a problem on any platform. I agree with you there. But to suggest that this is the main reason for past MS security woes is inaccurate. The average time for an XP box (with the default configuration) to be hit with malware after being plugged into the Internet was less than a minute according to one study I read about. That's not all the user's fault, I'm sorry.

    Not all that much of a problem because most every FOSS project that is worth anything uses code signing. Even if the server is cracked, it does the attacker little good. Same thing goes for code version control systems like GIT which have security features built-in that thwart this threat.

    I got the alert because I have code hosted on Sourceforge. From the e-mail I was sent, the password changes were a precaution. I don't sign my code on Sourceforge because there is no easy mechanism to do it (though the same code on Launchpad requires signing before they accept it). I don't really worry about it being compromised on SF because I only use it as a way to distribute code and not a binary.

    Yeah and how many people use proFTP? Like seven? And you know why it got compromised? Because the developers did not sign their code. In fact, they had zero security measures in place to stop an issue like this, which they readily admitted to after the attack.


    I got an e-mail from my ISP a year or so ago saying I was spamming on port 25. The e-mail went on to say I should do a malware scan (I LOL'ed). I knew this was bogus because A) I don't use Windows and B) Port 25 was closed. I did a thorough analysis to make sure that I hadn't been cracked by some uber hacker (who might've been able to bypass my MAC restrictions), and I found nothing. In other words, the ISP was wrong. I then went to my ISP's forums and there were a lot of other people complaining that they also got the e-mail and they knew for a fact they were not compromised. All of us suspected the ISP was sending e-mails to anyone who happened to have certain IP addresses over a certain period of time. In other words, ISP's do get it wrong!
     
  12. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    I also want to comment on the Kaspersky proposal as quoted here:

    OK, so far so good..

    lolwut? This is a disastrous plan. So am I supposed to be punished because I run Linux? Does this mean I must pass a M$ "health check" even though I do not use M$ Windows? It's preposterous. It's like asking someone who wants a street driver's license to take a boating test. They are two different animals all together.

    Second, why do I need a firewall? I don't have any listening services. And even if I did, I still have a hardware router with a strong and customizable firewall built in. How does Kaspersky propose to check for that? Are we to be punished because we use a hardware firewall?

    Third, why do I need AV software? I don't run Windows, thus I have about a .001% chance of getting any malware infection. Installing an AV on my machine would be a complete waste of time and resources.

    So, who really benefits from these proposals? Kaspersky and the AV vendors, that's who. They, no doubt, have a profit motive here, hoping they can get a piece of this "PC health check" pie. And they want laws to make it mandatory. Conflict of interest anyone?
     
  13. doc77

    doc77 Registered Member

    Joined:
    Jun 10, 2010
    Posts:
    55
    If we are talking Windows XP sp2 with firewall enabled this is false as I surfed as an admin in xp on numerous machines without an av installed and never been infected. Older versions of XP or with firewall disabled and not behind a hardware firewall, then I'd believe it but that is not saying much as that software is ancient, from 2001. How long would it take to get infected using an acrobat reader version from 2001? Or using Firefox 2.0 from 2006? Or Itunes from 2001?

    Automatic updates are enabled by default. New Vista/7 machines are very secure by default IMO, so I disagree its not the users fault.
     
  14. doc77

    doc77 Registered Member

    Joined:
    Jun 10, 2010
    Posts:
    55
    I agree with your entire post, even on old Windows XP machines I haven't used a real time AV since 2004 or really any 3rd party security software and have had zero malware issues. I don't want to be forced to install apps to make my ISP or MS happy. If they can prove my machine is a bot and want to shut it down I'll gladly reformat though.
     
  15. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    I'm convinced that's how most corporations get so big. Not all, but most.
    It's never capitalism, but politics and corruption.

    These think it's their time now..
     
  16. katio

    katio Guest

    You answered it yourself: local network only single user PCs. Though they kinda missed the trend there somewhere between 3.1 and XP pre SP2. However, I was talking about the situation now i.e. software that is still supported, XP SP2 and later.

    Wrong. sudo can be circumvented very easily in the typical 15 minute remember password mode. Without that it's like su and vulnerable to ./su in PATH, alias su or Xorg insecurity, see below. Thus logging in as root on the console is more secure.


    http://theinvisiblethings.blogspot.com/2010/08/ms-dos-security-model.html
    and we already had some discussions, if you need a refresh:
    https://www.wilderssecurity.com/showthread.php?t=280781
    https://www.wilderssecurity.com/showthread.php?t=280685



    http://blogs.technet.com/b/markrussinovich/archive/2007/02/12/638372.aspx


    Yes, so? Running no security software or outdated software is just the same: the responsibility of the user.
    I realize that there are other problems that mainly are the fault of the software vendor but I doubt that the typical zombie PC got hacked by a stealthy highly skilled hacker who circumvented all the built in and 3rd party protection. These are automated attacks, typically over email, open ports with vulnerable services and Adobe/IE/Java exploits that got fixed months ago AND are detected by most AVs.


    I'm not sure I understand? I'm really interested how you hack kernels from remote (network stack exploits are incredibly rare, I think there were 2 or 3 in total).
    If you can automate network intrusion, brute force attacks and webserver exploitation with soft"ware" is that not mal"ware"?

    See my first point.

    I'm only talking about source code obviously.
    So, what about SVN or CVS? Does git sign every file? If you don't access the files over git but directly how can it protect you?

    People who download and run code from SF did worry, me included.
     
  17. silat

    silat Registered Member

    Joined:
    Oct 30, 2006
    Posts:
    191
    We do ban murderers etc. When we catch them we take them to a court of law.
     
  18. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Correct...

    Then again, the same happens to innocent people: they're convicted for crimes they did not commit. Many spend years and years in prison, others convicted to death penalty... But, that's another talking.

    As someone else mentioned why should I be punished for not having an AV, etc, and still have my system cleaned?

    And, Kaspersky's idea... that was laugh... hack into people's computers without their consent! WTH? Yeah... I guess Kaspersky wasn't too happy their website got hacked a few times. They want others to have a little taste of it. :D

    Unfortunately, I couldn't read the mentioned article, as the web browser won't load, for some reason, it just keeps trying.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.