Interesting People mailing list archives

Previous By Date Next
Previous By Thread Next

more on Zombie Computers and what to do about them

From: David Farber <dave () farber net>
Date: Sun, 7 Jan 2007 16:56:02 -0500


Begin forwarded message:

From: Jonathan Zittrain <zittrain () law harvard edu>
Date: January 7, 2007 4:53:22 PM EST
To: dave () farber net
Subject: Re: more on Zombie Computers and what to do about them

for IP if you wish -
OS flaws are not the only problem here. Yes, systems should not have flagrant bugs where, say, merely visiting a Web page is enough to give the Web site complete control over the visitor's computer. And yes, right now no one sufficiently owns security, and financial liability is a way to allocate ownership of a problem. But trying to allocate responsibility among software makers for the conflicts and vulnerabilities that can come up as the soup of unrelated code from multiple sources on a PC interacts with itself is no easy task.
The problem is really much more fundamental: if users are to keep using and benefiting from generative PCs, i.e. PCs capable of running new software with just a click, they need to have a good sense of what to allow to run and what not to allow to run. Even a hypothetically fully patched OS, if it's to be generative, has to be ready to allow new code to rework the machine and manipulate its data. Users can make bad decisions about code, and then they've got a zombie. The risk is that they'll turn over control of what should and shouldn't run to a third party -- more and more PCs at work, in libraries, or in cybercafes cannot accept new code, even if their users want it. That makes them safer but lobotomized. Worse, users may turn to much more limited information appliances precisely because they offer more security. Should the generative PC cease to be at the center of the IT ecosystem, we'll lose the ability to groom new killer apps that begin as fringe projects from unexpected corners -- like the Web browser, instant messenger, VOIP, etc. Web 2.0 is not really a solution, because it is so contingent: Google's open APIs are great until they're not; Google rationally reserves the right to pull the plug collectively or individually on everything built upon those APIs.
We need a way to help users be reasonably informed about the risks of running specific pieces of new code on their machines, and a way to inform them about the network traffic going in and out without overwhelming them with data and choices. First, there should be new collective data gathering efforts that let users instantly see how many others, and at what level of expertise, have adopted what code and for how long. Second, we need to see PCs become more resilient to the inevitable mistakes that will be made, allowing bad code through. Wikipedia can afford to let the public at large edit a page because it's so easy for others to revert any mistakes back to an earlier version. The latest work on multiple virtual PCs within one physical box, and an ability to quickly reset any experimental virtual zones of a PC to a fresh state, is promising. Finally, I think ISPs could help here. They currently have no incentive to find and deal with zombies on their network -- it's just added customer service work. But the patterns of data coming into and out of a hijacked PC may be identifiable, and as much as I hate a slight reduction in e2e neutrality by conscripting ISPs to help out here, the bigger picture requires steps to keep people from drifting away from PCs or locking them down through overly aggressive security tools that will prevent good new code from easily taking root. ...JZ 

At EST 02:14 PM 1/7/2007, you wrote:

From: Udhay Shankar N <udhay () pobox com>
Date: January 7, 2007 7:07:02 AM EST
To: dave () farber net
Subject: Re: [IP] Attack of the Zombie Computers Is a Growing Threat,
Experts Say

At 05:54 AM 1/7/2007, David Farber wrote:


With growing sophistication, they are taking advantage of programs
that secretly install themselves on thousands or even millions of
personal computers, band these computers together into an unwitting
army of zombies, and use the collective power of the dragooned
network to commit Internet crimes.


All of which is possible only because insecure systems are made
available to unwitting users. Bruce Schneier has it right when he
says that "The only way to fix this problem is for vendors to fix
their software, and they won't do it until it's in their financial
best interests to do so." i.e., there needs to be financial liability
involved, like in the credit card business.

One example of Schneier's thoughts on this issue is here:

http://www.schneier.com/blog/archives/2004/11/computer_securi.html

Udhay


--
((Udhay Shankar N)) ((udhay @ pobox.com)) ((www.digeratus.com))




-------------------------------------------
-----------------------------------------------------------------------
You are subscribed as lists-ip () insecure org
To manage your subscription, go to
http://v2.listbox.com/member/?listname=ip
Archives at: Archives: http://archives.listbox.com/247/ 
Modify Your Subscription: http://v2.listbox.com/member/?member_id=1788750&user_secret=f2ab41d2
Unsubscribe: http://v2.listbox.com/unsubscribe/?id=1788750-f2ab41d2-wssmg7zi
Powered by Listbox: http://www.listbox.com
Previous By Date Next
Previous By Thread Next

Current thread: