Is It A Good Idea To Violate The Security Of Your Customers If They're Security Ignorant?
from the asking-for-serious-trouble dept
Rich Kulawiec writes in to point out that security expert Dan Geer is suggesting that merchants violate the security of customers they deem as security risks. His argument is, basically, that there are two types of users out there: those who respond "yes" to any request -- and therefore are likely to be infected by multiple types of malware doing all sorts of bad things -- and those who respond "no" to any request, who are more likely to be safe. Thus, Geer says merchants should ask users if they want to connect over an "extra special secure connection," and if they respond "yes," you assume that they respond yes to everything and therefore are probably unsafe. To deal with those people, Geer says, you should effectively hack their computer. It won't be hard, since they're clearly ignorant and open to vulnerabilities -- so you just install a rootkit and "0wn" their machine for the duration of the transaction.As Kulawiec notes in submitting this: "Maybe he's just kidding, and the sarcasm went right over my (caffeine-starved) brain. I certainly hope so, because otherwise there are so many things wrong with this that I'm struggling to decide which to list first." Indeed. I'm not sure he's kidding either, but the unintended consequences of violating the security of someone's computer, just because you assume they've been violated previously are likely to make things a lot worse. This seems like a suggestion that could have the same sort of negative unintended consequences as the suggestion others have made about creating "good trojans" that go around automatically closing the security holes and stopping malware by using the same techniques employed by the malware. Both are based on the idea that people are too stupid to cure themselves, and somehow "white hat" hackers can help fix things. Now, obviously, plenty of people do get infected -- but using that as an excuse to infect them back, even for noble purposes, is only going to create more problems in the long run. Other vulnerabilities will be created and you're trusting these "good" hackers to do no harm on top of what's been done already, which is unlikely to always be the case. No, security will never be perfect and some people will always be more vulnerable -- but that shouldn't give you a right to violate their security, even if for a good reason.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: botnets, computers, dan geer, rootkits, security, vulnerabilities
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in thread ]
There are those with the skills and desire to help the ignorant do indeed exist, but I doubt they'll be hired by corporations.
For all we know, some of the "good" things described have already been done.
Though, that doesn't touch the ethical considerations mentioned herein. :p
[ link to this | view in thread ]
Easier test...
The assumption that all windows users are 0wned is correct at least 60% of the time, according to the information I have available. The assumption that non-windows users are secure is correct at least 98% of the time.
What I'd really like to know is how you write a 'r00tkit' that's smart enough to deal with a completely unpredictable environment of malware, and which may already be running under the mother of all rootkits, a VM within a malicious hypervisor.
[ link to this | view in thread ]
They did say YES
[ link to this | view in thread ]
S0unds G00d t0 me.
[ link to this | view in thread ]
I remember this happening 20 years ago...
I thought it was kind of cool. :-)
[ link to this | view in thread ]
zcat is wrong...
The assumption that all Windows users are 0wned is correct absolutely 0% of the time, as long as there is a single un-0wned Windows user. The assumption that any particular user is 0wned simply because they use Windows might be accurate 60% of the time, but that's a far cry from what you were saying.
But back to the original article. There's two major problems with this issue. Firstly, it is likely illegal. But more importantly, it's not logically sound. It is completely based on a single assumption, and that is that people will always click 'yes' or always click 'no'. It completely fails to account for a third part of the computer using populace which could be described as "people who sometimes click 'yes' and sometimes click 'no'. This includes people like me, who are generally pretty paranoid and usually click 'no' to everything, but prefer to use the most secure methods possible when available.
The described system only functions correctly when the assumption that it is based on is true, and since that assumption is not true, it's unlikely that you could build an effective system based on it.
[ link to this | view in thread ]
Re: Easier test...
[ link to this | view in thread ]
Re: zcat is wrong...
[ link to this | view in thread ]
"Do you want us to hack your computer, Y/N?"
[ link to this | view in thread ]
fucking grammar nazis
And yes, I am aware that some mac users and a very small number of Linux noobs are 0wned without knowing it. That's why I said 98% rather than 100%.
Also there's nothing stopping MSIE on an 0wned Windows machine from identifying itself as "Firefox/Linux".
The real answer is that you communicate cryptographically with hardware that's not so easily 0wned (USB security device, TCP module) or you rely on a completely independent channel such as SMS to confirm that the primary channel isn't being messed with.
Of if that's too hard, you accept that there will be some loss and take out insurance.
[ link to this | view in thread ]
Real world scenario
You're standing on once side of fence. On the other side you can see someone getting robbed of all their money. You know that if you go over there you can stop the robbery. There is an unlocked gate in the fence next to you. On the gate is a sign that says entry explicitly forbidden. What would you do?
[ link to this | view in thread ]
[ link to this | view in thread ]
That depends..
Besides it's not actually like that. You can't actually see through the fence, you have to tresspass first. You might stop a robbery, or you might just be tresspassing. Is it OK to go entering other people's property simply because it's insecure and they _could_ be being robbed?
[ link to this | view in thread ]
More depends..
This is a really strained analogy :)
[ link to this | view in thread ]
Is the person who came up with the idea stupid? Yes. Are users just as stupid? Yes. Does that justify installing malware? No.
Anything that 'pops up' could be seen as spam, and oh whooops, I accidentally clicked yes instead of no, so I must be a retard that deserves to get rootkitted. Nice flawed stupid logic, he should work for M$!
[ link to this | view in thread ]
Personally I'd find it rather funny to have some idiot open a connection I know about in advance, in an attempt to take over my computer...
This idea, if implemented would be very short lived... but would add a few more corporate level systems to the bot nets... or worse.
GNU/Linux is the future.
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: fucking grammar nazis
what is the "information you've seen recently" anyways?
[ link to this | view in thread ]
Re: Real world scenario
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: zcat is wrong...
Would you rather argue semantics or make a real point here?
[ link to this | view in thread ]
Such as in.... cracking encryption?
[ link to this | view in thread ]
I just hope he does'nt have lifeblock!
[ link to this | view in thread ]
I woke up this morning with a condom sticking out of my butt.
Were you at my place?
Thanks for using protection anyway...
[ link to this | view in thread ]
re: "by Clare" # 13
[ link to this | view in thread ]