funsec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: dumb. Comcast pop-ups

From: Paul Vixie <paul () vix com>
Date: Sun, 11 Oct 2009 14:26:33 +0000
rsk () gsp org (Rich Kulawiec) writes:


...
This should be burned into the brain of everyone working in security:

      If someone else can run arbitrary code on your computer,
      it's not YOUR computer any more.

And allowing computers known-owned by the enemy to operate on
one's network is off-the-scale stupid.
...


on a whiteboard, this is provably true, and is the only reasonable
conclusion.  off the whiteboard, no ISP can afford to take this
position and no online retailer can afford to take this position
and so the security industry (by which i include the regulators)
can afford to take this position.  you're shining a bright light
on the tip of a very large can of worms here.

so many millions of hosts are compromised in the way you say, that
anyone who refused commerce or service to same would see a notable
dent in their traffic volume.  every windows machine is infected
by something at some time, and the various defenseware solutions
aren't usually 100% effective at removing all traces and/or keeping
the same thing or a similar thing from coming back or reactivating.

hotmail and gmail can't even afford to reject e-mail coming from
known-compromised machines, since their own users would complain.
so they do expensive halfmeasures like greylisting for a few hours
or days and hope that some kind of remediation takes place, which
generally does not take place.

amazon and ebay and paypal can't afford to reject commerce from
known-infected machines, because too many legitimate transactions
from real users of known-infected machines would be prevented, and
anyone who leaves 3% or 5% of their potential revenue on the table
inevitably gets bought or put out of business by those who do not.

malware has penetrated not just the skin, but the bones and DNA of
the internet economy.  it's everywhere and it's not going away ever.
there will always be something infected, and in a race to the bottom
there will always be competitors willing to serve those infected
machines, and there will never be a regulator willing to say "don't
anybody serve them, so that there's no competitive disadvantage in
the not-serving."  the scourge of human nature will be with us
always.  if humanity some day reaches the stars, we will bring our
spammers with us, and re-fight old battles with them then and there.
-- 
Paul Vixie
KI6YSY
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
Previous By Date Next
Previous By Thread Next

Current thread: