Security

Want to stop botnets overnight? Ban infected PCs from the net

Steve Ranger's Notebook: Why surfing on a virus-ridden PC is like sneezing in my face

Surfing the web on a virus-ridden PC is as nasty as getting on a train and sneezing into the face of each and every commuter. And it's time we put a stop to it, says silicon.com editor Steve Ranger.

There's a criminal in your back bedroom, or perhaps in the study. Or maybe even one sitting on your lap, right now. And what's worse, you let them in yourself.

It might sound like the premise for a low-rent slasher flick, but actually it's a reality of internet security in the UK. According to research out this week, more than one million households' PCs are in the thrall of criminals, co-opted into botnets which spew spam or take part in other online crimes.

It's a depressing statistic: chances are, of course, the owners of these million-plus subverted PCs are cheerfully unaware of their device's second life. But we have now reached the point at which our attitudes towards internet security must change.

The time has come to ignore the howls of protest, the cries of 'I didn't know!' and 'It wasn't me!', and to decide that if a PC is infected with viruses or has become part of a botnet, it should no longer be allowed access to the internet.

Consumers need to take responsibility for their security online, and those that fail to do so, for whatever reason, must accept there are consequences.

ISPs can easily spot if a device is part of a botnet, or is riddled with viruses. They already have the ability to warn the user, or even to quarantine the PC for the good of everyone else. And in some countries, such as Finland, they already do.

UK ISPs should take similar action. Taking these rogue PCs off the net will save the rest of us time, money and hassle. It sends the message that accessing the web is a privilege to be earned and not a right to be unthinkinhgly abused.

To say that the average consumer isn't sophisticated enough to know how to secure their PC is condescending nonsense: if someone has the ability to fire up a browser, they have the ability to secure their computer.

Really, it's not that hard. In fact, it's easy - and costs nothing to boot, thanks to the free firewalls and antivirus software available.

If you don't secure your PC you are deliberately putting yourself and others at risk. Connecting a virus-ridden PC to the internet is the equivalent of getting on a train and sneezing into the face of each and every commuter, on the grounds that you are too careless to use a handkerchief.

Right now, too many consumers do not take security seriously because they myopically fail to understand the consequences of their inaction.

One of the wonderful things about the web is that it is not - like TV - about sitting back and consuming content. It's about leaning forward and creating as well, from Wikipedia to silly cat pictures. But right now the contribution being made by a million PCs in the UK is to spread viruses and spam, and that's not acceptable any more.

As the web becomes increasingly important we have make abundantly clear to its users what is acceptable and what is not.

Giving web users a warning (or two) to fix their security before booting them off the web seems like a good way of tackling the problem and I'd wager the spam and botnet problem would disappear overnight if such measures were put in place. Sure, there will be a bit of short term pain (and plenty of work for the PC repair brigade), but the longer term goal is important - not just in reducing spam or viruses, but creating more responsible, more aware digital citizens, whether they like it or not.

Steve Ranger is the editor of silicon.com and has been writing about the impact of technology on people, culture and business for over a decade. You can find him tweeting @steveranger.

About

Steve Ranger is the UK editor of TechRepublic, and has been writing about the impact of technology on people, business and culture for more than a decade. Before joining TechRepublic he was the editor of silicon.com.

6 comments
the_webninja
the_webninja

I think it is a good first step in the right direction if ISPs and tell if a PC is infected and the user is not smart enough to know, it is not much different than a Cop stopping a Driver if they are breaking the Law or doing something wrong. If I was on a PC that was infected and I didn't know about it, I would WANT the ISP to let me know if they could tell it was infected. I think doing SOMETHING is far better than just doing nothing and saying "The Problem is just out of control so forget the whole thing" which is what others are implying. If I had MY way I think we should adopt Public Beatings in the Town Square for all the Virus Makers and Spam people. That might put a dent in the problem. But most Legal people are too Whimpy to even suggest such a thing.

smith.jenkinson
smith.jenkinson

I have written an interpreted program under AutoHotKey which reads a file sequentially and writes out 3 copies in the same loop. The files end up with different file sizes and numbers of records (it is a trivial program to demonstrate what happens). I've done a Virus check -all clear, a ChkDsk - all clear, an MD5 checksum on AHK - all correct. If nothing can detect what is corrupting my files randomly then if my PC has not been hacked some one could hack it to do just that AND BE UNDETECTED. Can you guarantee that the currently available software can detect ALL threats? If you can then I'm sure NASA and the Pentagon will be glad to hear from you. I'd also take up your guarantee if you offered compensation if my PC became infected. If you were right you'd make a fortune. Hacking PCs is far more serious than hacking phones and it is time for the police to get involved.

DCGideon
DCGideon like.author.displayName 1 Like

"To say that the average consumer isn???t sophisticated enough to know how to secure their PC is condescending nonsense:" We live in an Internet where corporate and government networks are routinely hacked by script kiddies. Even as site as secure as the Pentagon got hacked. It is apparent that the author either has no desktop support experience or is simply lying to give cover for corporate interests. I have three years of desktop support experience and have seen many PC user who barely know how to turn their computers on. I must also disagree with your notion that Internet access is a privilege. Internet Access is a right, albeit one conditioned on behaving in ways harmless to others. It is one thing to temporarily take infected PCs offline in efforts to block a currently executed attack. (This is already done; happened to my brother) but what is being proposed will result in a lot more than taking infected PC's off the Internet. If Internet access is viewed as a privileges, then people can be taken offline at the discretion of governments and corporations. I can just see this idea being used as a weapon for political and religious censorship. A better idea is to build more security into PCs out of the box. Windows 8, for example, has Microsoft Security Essentials pre-installed and pre-configured. Linux machines, have had from day 1, more tightly construct user permissions systems.

Gayle Edwards
Gayle Edwards like.author.displayName like.author.displayName like.author.displayName like.author.displayName 4 Like

How does a "consumer" secure a closed-source OS with hundreds of known security-holes? You know who I am talking about. I have seen far too many compromised PCs, that -were- running the latest versions of software, with up-to-date anti-virus, patches, and even, firewalls... and yet, they were still infected. Often (...despite the latest corporate security-spin falsely accusing end-users of negligence) these infections were from nothing more than regular web-surfing/usage... where a perfectly "legitimate" web-site linked to some content somewhere, where a first, second, or third-level page-element contained an attack element, or link (...and, frankly, -all- search-engines have become the absolute worst place to start if you are running the Operating-System that comes pre-installed on almost all PCs). Basically, what this article seems to be calling for is that old chestnut, "Trusted, end-point-to-end-point, secure, computing"... where some third-parties hold the keys to forcibly-controlling what hardware, software, OSes, and applications, "consumers" -must- use. And, frankly, this would hand our computers to the very worst offenders (the largest software companies)... who have (through poor products, arrogance, greed, not to mention often illegal business practices) created the very "security" situation/disaster that the author is railing against. Holding -victims- responsible for the actions of unethical corporations (who are the ones actually at fault, and giving those same special-interests a free-pass, and even greater control over consumers) is, frankly, insane. I have a real suggestion. One that addresses the actual root of the real problem. How about we hold software-manufacturers... themselves... monetarily responsible for the flaws, and consequences, of the products they sell? I am only talking about the bugs that "consumers" are powerless to control. I suspect, that, might motivate such businesses to produce better products, and stop trying to blame, and manipulate, consumers into ever tighter chains of lock-in and control. This would actually be far better for everyone.

JesusChristSuperStar
JesusChristSuperStar like.author.displayName like.author.displayName like.author.displayName 3 Like

If the botnet operators and junkmail peddlers are thwarted in this manner, they will only seek other means to accomplish their goal. Any benefits would only be temporary. The way to stop them once and for all is to remove their incentive. Why do spammers spam? Because it is so immensely profitable. But if all the online merchants who hawk their wares were to be banned by the banks and credit card companies, how much of their stuff would they sell if the customers had to go to the post office to get a postal money order for every purchase they made? The scourge of junkmail would come to a screeching halt. But the politicians who make the laws have no intention of putting a stop to such devious practices. They only want to give their constituents the impression that they do.

life256
life256

Let's do this! Short-term panic and anger/hatred will ensue by the public, but they will get over it. Viruses may be my bread and butter right now, but I would much rather be selling people new servers than removing viruses off of 4-5 desktops... Just sayin.

Editor's Picks