Full Disclosure mailing list archives
Re: Calcuating Loss
From: Alexander Schreiber <als () thangorodrim de>
Date: Wed, 12 May 2004 07:33:52 +0200
On Tue, May 11, 2004 at 03:02:30PM -0700, Schmidt, Michael R. wrote:
I think that part of the evolution is to lock people who create these things up for a *very* long time. It will deter the script kittens when they start to find that their computers are confiscated and their parents homes are sold to pay for the "loss" incurred by there stupidity. The real black hats will be deterred when 20 FBI/CIA whoever agents drag them from their homes at gunpoint with the handcuffs tight around there wrists.
Dead wrong. All this will accomplish is the any malware author will just be one hell of a lot more careful to avoid getting caught. It might even accelerate another trend: malware by script kiddies who goes down, malware by real criminals (who use/sell the infected machines as spam relays, DDoS zombies (nice extortion tool, already used), ...) will go up. Net result: you ruined the live of a few foolish kids and their entire family, but you still don't get the (much more dangerous) professional criminals. Achievement for network security: NIL.
The consequences need to be severe enough. In order to accomplish that our infrastructure has got to support the basic ability to find people who cause problems. Anonymity is not an option.
Ever heard of identity theft? In the same way that the less stupid criminals don't use their own private cars but stolen ones for committing crimes, criminal malware authors will just use computers/accounts whose access credentials were stolen. You end up investigating a fool who got his access credentials stolen, but probably didn't do anything else. And you still have to find the real guy ... We really should take a lesson from the real world here: valuable property (like big bags full of money) are not usually left out on the kitchen table and only protected by strong penalties for anyone wandering in and grabbing a few - if you tried to rely on this, police and insurance would laugh you out of town. Instead, valueable physical property is protected by serious physical means of protection (like putting your bags full of cash into a big, heavy, unmovable safe) _and_ legislation to punish the few serious criminals who still manage to steal some. The way to protect digital infrastructure from the destructive effects of malware is to harden the infrastructure itself. Don't use insecure operating systems and hope that the 'patch of the day' will keep the malware out - because it won't. Don't use sloppily coded, insecure software on hope nothing bad will happen because nobody will find out how to exploit the flaws - because somebody will find out and exploits will happen. Don't build insecure networks and hope nobody will abuse them because nobody knows what a mess it is - because somebody will abuse them. In short: Don't build a house of cards and then try to outlaw the wind, build a house of stone and enjoy the fresh air. Yes, there are things that are very hard or practically impossible to guard against (DoS comes to mind), but practically all malware problems are due to avoidable failures: insecure configurations (like executing untrusted code from unknown sources by default), coding errors that could be avoided by using proper tools (like buffer overflows) and so on. Close the existing easy attack paths and then we can deal with the remaining few attackers with the law and a lot of attention. Regards, Alex. -- "Opportunity is missed by most people because it is dressed in overalls and looks like work." -- Thomas A. Edison _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: Calcuating Loss Jos Osborne (May 11)
- <Possible follow-ups>
- RE: Calcuating Loss Jos Osborne (May 11)
- Re: Calcuating Loss Valdis . Kletnieks (May 11)
- RE: Calcuating Loss Schmidt, Michael R. (May 11)
- Re: Calcuating Loss Valdis . Kletnieks (May 11)
- Re: Calcuating Loss Alexander Schreiber (May 11)
- RE: Calcuating Loss Schmidt, Michael R. (May 12)
- Re: Calcuating Loss Valdis . Kletnieks (May 12)
- RE: Calcuating Loss Frank Knobbe (May 12)
- RE: Calcuating Loss Gary E. Miller (May 12)
- RE: Calcuating Loss Frank Knobbe (May 12)
- RE: Calcuating Loss Gary E. Miller (May 12)
- RE: Avoiding traceability (was: Calculating Loss) Frank Knobbe (May 12)
- RE: Avoiding traceability (was: Calculating Loss) Ron DuFresne (May 13)
- Re: Calcuating Loss Valdis . Kletnieks (May 13)