The solution to malware is simple:
1. Write software that doesn't treat security as an inconvenience.
2. Get people to use it.
3. Convince everyone that they should learn to think for themselves from time to time, especially where security is concerned.
Simple . . . but not easy.
Discussion on:
View:
Show:
2. Get people to use it.
you funny.
people? use software that doesn't treat security as an inconvenience?
riiiight.
in this age of promotion of stupidity [ twitter, youtube, iphone, blackberry, gphone ... ] do you REALLY expect people to do something SMART and use something where they have to GASP THINK?!?!?!?!
and thanks, I needed the chuckle.
you funny.
people? use software that doesn't treat security as an inconvenience?
riiiight.
in this age of promotion of stupidity [ twitter, youtube, iphone, blackberry, gphone ... ] do you REALLY expect people to do something SMART and use something where they have to GASP THINK?!?!?!?!
and thanks, I needed the chuckle.
I'm glad I was able to provide some entertainment value, at least. I was fully aware of the humor in point 2 when I wrote it, and I'm glad the first person to comment picked up on it.
a short article that is so accurate the only way to comment is to laugh at the humor built into it.
It's either laugh, or cry at point 2. Unfortunately, that is the one point that really is a killer for security.
Ease of use take precedence with the vast majority of users. They don't care about the risks and won't accept any inconvenience.
Though an associate was just telling me about a network he had to set up this evening, to work on a custom database app for the business. The company demanded that it be as secure as he could configure it to be. The company required that the Database server system be completely isolated from the Internet, no going online with it, ever. This is a medical clinic, dealing exclusively with Methadone patients. Health records, and completely locked down to protect them from exposure. It does give some hope for future security in general that paranoia has made it into the health care sector.
It's either laugh, or cry at point 2. Unfortunately, that is the one point that really is a killer for security.
Ease of use take precedence with the vast majority of users. They don't care about the risks and won't accept any inconvenience.
Though an associate was just telling me about a network he had to set up this evening, to work on a custom database app for the business. The company demanded that it be as secure as he could configure it to be. The company required that the Database server system be completely isolated from the Internet, no going online with it, ever. This is a medical clinic, dealing exclusively with Methadone patients. Health records, and completely locked down to protect them from exposure. It does give some hope for future security in general that paranoia has made it into the health care sector.
And, faster than you can do them yourself. 
Imagine if you could buy a car that was put together like Windows OS.
It would come with no brakes, no airbags, no seatbelts, and features like door locks and headlights would be options.
And half of the cars would come with 'trial versions' of airbags and brakes that stopped working after six months.
Those who purchased the 'security suite' of airbags/brakes/door locks from one vendor would be often faced with a car that was so slow it could not go faster than 30 mph.
And then the user would have to spend much time researching the best type of airbags to get, the best seatbelts, and the best door locks.
Of course the thrifty car buyers would make their own seatbelts or airbags, or just not bother to install things like brakes.
And then there would be discussion sites where pointy-headed 'experts' patiently explain to new-bie car owners why brakes are important, or why homemade airbags are a bad idea.
It would come with no brakes, no airbags, no seatbelts, and features like door locks and headlights would be options.
And half of the cars would come with 'trial versions' of airbags and brakes that stopped working after six months.
Those who purchased the 'security suite' of airbags/brakes/door locks from one vendor would be often faced with a car that was so slow it could not go faster than 30 mph.
And then the user would have to spend much time researching the best type of airbags to get, the best seatbelts, and the best door locks.
Of course the thrifty car buyers would make their own seatbelts or airbags, or just not bother to install things like brakes.
And then there would be discussion sites where pointy-headed 'experts' patiently explain to new-bie car owners why brakes are important, or why homemade airbags are a bad idea.
You're not allowed to drive a car before showing a certain amount of knowledge and skill at doing so - so why shouldn't users be educated.
But now onto the Windows analogy...
I'm tired of hearing that Microsoft doesn't do this or that with the OS. Many times when they do try including extra functionality, somebody complains about their being a monopoly, blah, blah, blah. But when Apple does it, its the greatest thing that ever happened. What's up with that??
But now onto the Windows analogy...
I'm tired of hearing that Microsoft doesn't do this or that with the OS. Many times when they do try including extra functionality, somebody complains about their being a monopoly, blah, blah, blah. But when Apple does it, its the greatest thing that ever happened. What's up with that??
without first passing a proficiency test.
Computers are appliances, as are a myriad other electrical, electronic, mechanical, and electro-mechanical devises.
The use of automotive devices is regulated owing to such possessing the capability of causing immediate, and frequently irreparable, harm to both people and property. Computers do not present such a clear and present danger.
Computers are appliances, as are a myriad other electrical, electronic, mechanical, and electro-mechanical devises.
The use of automotive devices is regulated owing to such possessing the capability of causing immediate, and frequently irreparable, harm to both people and property. Computers do not present such a clear and present danger.
You're not allowed to drive a car before showing a certain amount of knowledge and skill at doing so - so why shouldn't users be educated.
Considering your later statement about how MS is so unfairly put-upon -- thus seeming to indicate that you hold MS Windows in reasonably high regard -- I find this statement kind of ironic. After all, if only people who were fairly knowledgeable about computers were allowed to use computers, MS Windows would probably become a far less commonly used OS.
Oh, yeah . . . and people can drive cars without taking a license test. The driver's license is only necessary for driving on public roads. On private property, you can drive without knowing a thing about the car if you want to.
I'm tired of hearing that Microsoft doesn't do this or that with the OS. Many times when they do try including extra functionality, somebody complains about their being a monopoly, blah, blah, blah. But when Apple does it, its the greatest thing that ever happened. What's up with that??
I don't think I've ever heard anyone blame any innovative new OS capabilities on MS anticompetitive motives. Mostly, people (rightly) seem to blame MS anticompetitive practices on those motives -- practices like preventing others from developing and marketing innovative capabilities.
Considering your later statement about how MS is so unfairly put-upon -- thus seeming to indicate that you hold MS Windows in reasonably high regard -- I find this statement kind of ironic. After all, if only people who were fairly knowledgeable about computers were allowed to use computers, MS Windows would probably become a far less commonly used OS.
Oh, yeah . . . and people can drive cars without taking a license test. The driver's license is only necessary for driving on public roads. On private property, you can drive without knowing a thing about the car if you want to.
I'm tired of hearing that Microsoft doesn't do this or that with the OS. Many times when they do try including extra functionality, somebody complains about their being a monopoly, blah, blah, blah. But when Apple does it, its the greatest thing that ever happened. What's up with that??
I don't think I've ever heard anyone blame any innovative new OS capabilities on MS anticompetitive motives. Mostly, people (rightly) seem to blame MS anticompetitive practices on those motives -- practices like preventing others from developing and marketing innovative capabilities.
Why so much responsibility on the user?
That's easy. It's because the user is the one who (at least tacitly) chose the operating system! If users moved security further up the scale of priorities, eventually Microsoft Windows would either improve dramatically or drop off the face of the market.
Microsoft is giving its users exactly what they'll accept . As long as you keep accepting it, Microsoft will keep giving it to you. So far, while Microsoft has tried to remove other options from the market, it has not managed to succeed in doing so across the board, and what successes it has had have been entirely because people went along with it, accepting whatever Microsoft has deigned to give them.
If the user can't take responsibility for making decisions, someone else will do it for the user. More often than not, that person will not make decisions in the user's best interest, because the kind of people who like pushing decisions down others' throats are generally the kind of people who don't really do things in those others' best interests. In fact, often enough, they don't even do things in their own best interests -- even when they think they are serving their own interests.
That's easy. It's because the user is the one who (at least tacitly) chose the operating system! If users moved security further up the scale of priorities, eventually Microsoft Windows would either improve dramatically or drop off the face of the market.
Microsoft is giving its users exactly what they'll accept . As long as you keep accepting it, Microsoft will keep giving it to you. So far, while Microsoft has tried to remove other options from the market, it has not managed to succeed in doing so across the board, and what successes it has had have been entirely because people went along with it, accepting whatever Microsoft has deigned to give them.
If the user can't take responsibility for making decisions, someone else will do it for the user. More often than not, that person will not make decisions in the user's best interest, because the kind of people who like pushing decisions down others' throats are generally the kind of people who don't really do things in those others' best interests. In fact, often enough, they don't even do things in their own best interests -- even when they think they are serving their own interests.
I just wish winders would allow better options than
a. User
b. Administrator
--------------
For my kids to do anything decent, I gotta make them admins!!!
Why not have something in place that lets the user only corrupt their profile/area?
that would be nice.
a. User
b. Administrator
--------------
For my kids to do anything decent, I gotta make them admins!!!
Why not have something in place that lets the user only corrupt their profile/area?
that would be nice.
is a type of user with limited install rights but not full control over the system directories.
Or, tech them to run as a non-admin user. I do admit some software is poorly written and requires admin access. Try to replace this asap. Supporting bad design and implementation only hurts us all in the long run.
Or, tech them to run as a non-admin user. I do admit some software is poorly written and requires admin access. Try to replace this asap. Supporting bad design and implementation only hurts us all in the long run.
If you can get your kids to use a sandbox to run their programs, that will protect the OS and the other data files.
But since you opened the can...
Cars have been in development for over 100 years. Air bags were introduced in what the 1980's or 1990's? When where seat belts introduced and required?
Cars are really meant to do a very limited number of tasks as apposed to a computer which is meant to be able to do almost any task. That flexibility makes them vulnerable. If you don't like that get a web TV.
Bill
Cars have been in development for over 100 years. Air bags were introduced in what the 1980's or 1990's? When where seat belts introduced and required?
Cars are really meant to do a very limited number of tasks as apposed to a computer which is meant to be able to do almost any task. That flexibility makes them vulnerable. If you don't like that get a web TV.
Bill
The government mandates them.
but, that has to do with the public paying the price for your (whoever's) stupidity.
If my computer gets AntiVirus 2009, it doesn't cost the tax payers anything really.
but, that has to do with the public paying the price for your (whoever's) stupidity.
If my computer gets AntiVirus 2009, it doesn't cost the tax payers anything really.
that you have to buy additional products to make the product even remotely secure.
The point is, would it make sense if all the basic safety features of cars were not included? Hence you would have to take your shiny new buick down the street to get one brand of airbags, then to another shop to get the anti-lock brakes installed?
From a technology perspective, Microsoft could make their OS so that users do not have to spend extra time/money buying/installing/maintaining additional software.
Why don't they do this? They don't do this because it would put at least ten other software companies out of business.
Tomorrow Microsoft could buy a company like Kaspersky, Trend, or Webroot...and build that functionality into the OS, where it should have been from day one.
I'll mention Mac OS, not to bash Windows, but as an example that it can be done. Similarly, Linux or UNIX boxes do not require additional software to make them secure.
The point is, would it make sense if all the basic safety features of cars were not included? Hence you would have to take your shiny new buick down the street to get one brand of airbags, then to another shop to get the anti-lock brakes installed?
From a technology perspective, Microsoft could make their OS so that users do not have to spend extra time/money buying/installing/maintaining additional software.
Why don't they do this? They don't do this because it would put at least ten other software companies out of business.
Tomorrow Microsoft could buy a company like Kaspersky, Trend, or Webroot...and build that functionality into the OS, where it should have been from day one.
I'll mention Mac OS, not to bash Windows, but as an example that it can be done. Similarly, Linux or UNIX boxes do not require additional software to make them secure.
Tomorrow Microsoft could buy a company like Kaspersky, Trend, or Webroot...and build that functionality into the OS, where it should have been from day one.
That doesn't solve the problem. It just slaps a band-aid on a sucking chest wound. Consider the truth about viruses as an example of what really needs to be done to deal with virus issues, for instance -- the kind of solution that would make current antivirus software's functionality effectively obsolete.
That doesn't solve the problem. It just slaps a band-aid on a sucking chest wound. Consider the truth about viruses as an example of what really needs to be done to deal with virus issues, for instance -- the kind of solution that would make current antivirus software's functionality effectively obsolete.
I did not mean that MSFT would just bundle AV software with their OS; but rather that the smart people at these companies would sit down and explain to the OS developers why it's bad idea to let untrusted processes write to the registry, why core executables of the OS need to be protected better, etc, etc.
A reading from the book of 'the truth about viruses':
"Antivirus software is basically just a dirty hack used to fill a gap in your system?s defenses left by the negligence of software vendors who are unwilling to invest the resources to correct certain classes of security vulnerabilities."
Amen
A reading from the book of 'the truth about viruses':
"Antivirus software is basically just a dirty hack used to fill a gap in your system?s defenses left by the negligence of software vendors who are unwilling to invest the resources to correct certain classes of security vulnerabilities."
Amen
That's a great plan. Now we just need to get Microsoft, and the smart people at the target acquisitions, to go along with it.
MS bought GIANT Antispy, which was a good program in it's day. They turned it into Defender, which places next to last in the 'free' category of antispy applications. Any OS is so complicated it's like learning to fly in a Learjet. A lot harder than in a Cessna 150. So much harder that it's not surprising there's so many wrecks when ordinary people take a modern OS out for a spin. But since no one on the ground gets toasted when you crash there's no greater 'public good' in trying to force a company to make good products. People talking with their wallets is the only option available and will probably (and hopefully) remain that way. Imagine the government getting into software development? The thought's terrifying.
Why is application selection so bad?
Perhaps I'm misunderstanding you. Do you really want me to have to select MS Word every time I click on a .doc?
I agree mostly with this article...well written. However, in the real world a certain level of convenience is demanded from the end user whether it's good for them or not.
Perhaps I'm misunderstanding you. Do you really want me to have to select MS Word every time I click on a .doc?
I agree mostly with this article...well written. However, in the real world a certain level of convenience is demanded from the end user whether it's good for them or not.
A file labeled foo.doc in your file manager window may very well be something other than a Microsoft Word DOC file. If you double-click on it, the thing might execute in some other way than by opening MS Word. Then, you have something on your computer doing something you don't want it to do.
I agree mostly with this article...well written.
Thanks.
However, in the real world a certain level of convenience is demanded from the end user whether it's good for them or not.
That's kinda the point. I'm peeved about the fact that people "demand" things that are just going to end up screwing them, then they complain about security issues that are (to some extent) essentially their own faults, since they demanded the very cause of those issues. Once they've gotten infected by some spambot software, they start sending emails to me , and others, and we all end up with an Internet getting saturated with spam and infected files, and so on.
I don't find that very convenient at all.
Think about what you said for a moment -- that people demand "a certain level of convenience", "whether it's good for them or not". That is the pet peeve in the list, in a nutshell -- not just because it isn't good for them, but because they affect other people with these terrible decision making skills of theirs.
As they say, if you aren't part of the solution. . . .
Of course, part of the problem is the experts, too. When a user says "I want this convenience," the expert should say "That's a really bad idea, and this is why." The expert sure as heck shouldn't say "Well, okay, we'll give that to you," and never even mention that it may increase vulnerability. Producing software that services these poorly conceived demands to which you refer without even informing users that such features are really bad ideas from a security standpoint is irresponsible in the extreme.
I agree mostly with this article...well written.
Thanks.
However, in the real world a certain level of convenience is demanded from the end user whether it's good for them or not.
That's kinda the point. I'm peeved about the fact that people "demand" things that are just going to end up screwing them, then they complain about security issues that are (to some extent) essentially their own faults, since they demanded the very cause of those issues. Once they've gotten infected by some spambot software, they start sending emails to me , and others, and we all end up with an Internet getting saturated with spam and infected files, and so on.
I don't find that very convenient at all.
Think about what you said for a moment -- that people demand "a certain level of convenience", "whether it's good for them or not". That is the pet peeve in the list, in a nutshell -- not just because it isn't good for them, but because they affect other people with these terrible decision making skills of theirs.
As they say, if you aren't part of the solution. . . .
Of course, part of the problem is the experts, too. When a user says "I want this convenience," the expert should say "That's a really bad idea, and this is why." The expert sure as heck shouldn't say "Well, okay, we'll give that to you," and never even mention that it may increase vulnerability. Producing software that services these poorly conceived demands to which you refer without even informing users that such features are really bad ideas from a security standpoint is irresponsible in the extreme.
I completely agree and if I had a magical wand I'd make it happen.
However, that's just not reality. Many things in life have flaws by design in order for convenience.
It's our jobs in the IT profession to make the most of the real world. That's all.
However, that's just not reality. Many things in life have flaws by design in order for convenience.
It's our jobs in the IT profession to make the most of the real world. That's all.
I get what you're saying.
I'm not entirely convinced we can't fix the problem to a significant degree, given time and effort and luck, but I totally understand the impulse to believe it's unsolvable given the proclivities of people in large groups.
I'm not entirely convinced we can't fix the problem to a significant degree, given time and effort and luck, but I totally understand the impulse to believe it's unsolvable given the proclivities of people in large groups.
People did not demand that ActiveX could allow any script kiddie to own your PC, they just wanted pretty web pages.
What might really be happening is that the sales and marketing people are selling and promoting things faster than the developers can create secure applications and write good code.
I reject the argument that you cannot design and deploy an OS that is both user-friendly and secure. (Insert Mac OS and Linux argument here)
My argument is that the whole Windows OS security model is fatally flawed. To have to depend upon a slew of Anti-virus, anti-spyware, anti-rootkit, anti- who-knows-what is completely the wrong approach to security.
If you install anti-virus software on a pig, it's still a pig....
What might really be happening is that the sales and marketing people are selling and promoting things faster than the developers can create secure applications and write good code.
I reject the argument that you cannot design and deploy an OS that is both user-friendly and secure. (Insert Mac OS and Linux argument here)
My argument is that the whole Windows OS security model is fatally flawed. To have to depend upon a slew of Anti-virus, anti-spyware, anti-rootkit, anti- who-knows-what is completely the wrong approach to security.
If you install anti-virus software on a pig, it's still a pig....
What might really be happening is that the sales and marketing people are selling and promoting things faster than the developers can create secure applications and write good code.
That's certainly part of the problem, but so too is the fact that, even after Microsoft creates an entire industry of poor security, people keep buying it . In short, part of the reason that sales and marketing people are allowed to set the direction of development, at the expense of security, reliability, and usability, is that vendors who allow sales and marketing people to do that are rewarded for that behavior.
I reject the argument that you cannot design and deploy an OS that is both user-friendly and secure. (Insert Mac OS and Linux argument here)
Good! (Insert mention of additional OSes here, such as FreeBSD.)
My argument is that the whole Windows OS security model is fatally flawed. To have to depend upon a slew of Anti-virus, anti-spyware, anti-rootkit, anti- who-knows-what is completely the wrong approach to security.
If you install anti-virus software on a pig, it's still a pig....
I absolutely agree.
. . . and if you keep choosing the pig over the lovely girl, you're going to keep ending up ballroom dancing with the pig. Eventually, the lovely girl may even just go away, and more pigs might show up hoping you'll pick them instead.
That's certainly part of the problem, but so too is the fact that, even after Microsoft creates an entire industry of poor security, people keep buying it . In short, part of the reason that sales and marketing people are allowed to set the direction of development, at the expense of security, reliability, and usability, is that vendors who allow sales and marketing people to do that are rewarded for that behavior.
I reject the argument that you cannot design and deploy an OS that is both user-friendly and secure. (Insert Mac OS and Linux argument here)
Good! (Insert mention of additional OSes here, such as FreeBSD.)
My argument is that the whole Windows OS security model is fatally flawed. To have to depend upon a slew of Anti-virus, anti-spyware, anti-rootkit, anti- who-knows-what is completely the wrong approach to security.
If you install anti-virus software on a pig, it's still a pig....
I absolutely agree.
. . . and if you keep choosing the pig over the lovely girl, you're going to keep ending up ballroom dancing with the pig. Eventually, the lovely girl may even just go away, and more pigs might show up hoping you'll pick them instead.
like driving a car. We can have all the laws and policies you want but in the end it is the driver that has full responsibility.
To some degree I think this is the same concept that we need to drive home to computer users. They are the driver and need to know the rules of internet highway and be prepared for the unknown by exercising safety and forethought.
To some degree I think this is the same concept that we need to drive home to computer users. They are the driver and need to know the rules of internet highway and be prepared for the unknown by exercising safety and forethought.
Normally, I find the ubiquitous car analogies people love to use so much in discussions related to information technology matters, but in this case I think your choice of a car analogy is particularly apt.
Consider seat belts on automobiles. When I learned to drive at the age of 14, I had never ridden in a car that had seat belts installed, and I did not either drive or ride in one that had seat belts for at least another five years. Seat belts (which originally did not include a strap across the shoulder and body to the waist) were available as an option, but they had to be installed at the factory (so you would have to wait as long as six months before your new car arrived at the dealer).
The automakers said that there was no demand for seat belts. The vast majority of adults did not care whether they were installed, said that they would probably never use them if they were installed, and didn't want seat belts if they would significantly increase the price of a new car. Some people claimed that seat belts would make riding in an automobile LESS safe, and the reactionary blowhards of the day opined that Congress requiring seat belts in passenger automobiles was just another example of the "welfare state", in which the government presumed to know what was best for us.
Be that as it was, there was a long and sustained campaign by those who cared (supported by the medical profession and by the auto insurance companies), until Congress was finally convinced to require seat belts in all passenger automobiles, because the Senators and Representatives could _factually_ defend their support for the legislation.
Of course, once seat belts were installed, there had to be a long and enduring campaign to persuade the public to actually USE them. Now, nearly forty years later, seat belts are generally accepted and almost always used as a matter of course. We also have stiff legal penalties (fines, primarily) for those who just don't get a clue any other way.
Now, apply that history to changing any insecure aspect of the way that we use computers today, and you'll begin to see that computer and network security is not an issue that will be solved overnight.
The automakers said that there was no demand for seat belts. The vast majority of adults did not care whether they were installed, said that they would probably never use them if they were installed, and didn't want seat belts if they would significantly increase the price of a new car. Some people claimed that seat belts would make riding in an automobile LESS safe, and the reactionary blowhards of the day opined that Congress requiring seat belts in passenger automobiles was just another example of the "welfare state", in which the government presumed to know what was best for us.
Be that as it was, there was a long and sustained campaign by those who cared (supported by the medical profession and by the auto insurance companies), until Congress was finally convinced to require seat belts in all passenger automobiles, because the Senators and Representatives could _factually_ defend their support for the legislation.
Of course, once seat belts were installed, there had to be a long and enduring campaign to persuade the public to actually USE them. Now, nearly forty years later, seat belts are generally accepted and almost always used as a matter of course. We also have stiff legal penalties (fines, primarily) for those who just don't get a clue any other way.
Now, apply that history to changing any insecure aspect of the way that we use computers today, and you'll begin to see that computer and network security is not an issue that will be solved overnight.
Actually, the mandatory seatbelt laws are nanny state laws -- not welfare state laws.
I don't think that legislating the design of a car, or of an operating system, is the right way to handle things. Instead, user education is the key. If people know that seatbelts and privilege separation are important, they'll be more likely to buy cars with seatbelts and use operating systems with real privilege separation.
Remember -- there is no legal solution to malware.
I don't think that legislating the design of a car, or of an operating system, is the right way to handle things. Instead, user education is the key. If people know that seatbelts and privilege separation are important, they'll be more likely to buy cars with seatbelts and use operating systems with real privilege separation.
Remember -- there is no legal solution to malware.
There's a reason my 6.5HP chipper-shredder has a warning label that says not to use it indoors.
But seriously, kids ARE the ones who need nannies, and they are computer users too. I've seen several young-uns click on those 'your computer is infected' fake pop-up ads.
And I have the blessing of helping to support a couple of elderly computer users who would be likely to wash their computer with Lysol spray if it got infected.
It doesn't take all kinds, we just got all kinds....
But seriously, kids ARE the ones who need nannies, and they are computer users too. I've seen several young-uns click on those 'your computer is infected' fake pop-up ads.
And I have the blessing of helping to support a couple of elderly computer users who would be likely to wash their computer with Lysol spray if it got infected.
It doesn't take all kinds, we just got all kinds....
What those kids need is a parent, at least until they learn they can't trust everybody on the Internet.
Even the worst nanny knows it's important not just to forbid or prescribe certain actions, but to educate her charge on the reasons for those actions. She also understands that at some point she must move on and her charge must be left to fend for itself.
The government nanny does not educate, nor does she let go...
The government nanny does not educate, nor does she let go...
... by making it impossible for malware writers (and spammers) to cash out.
Considering that a major motivation is money -- just follow the money and cut it off at the source.
Unfortunately, the source doesn't WANT to cut it off. Google makes billions on malware that fires up AdSense-based popups. Credit cards and banks make billions on transaction fees and charges.
How hard would it be to have an organization whose job it was to order stuff from SPAM and pop-ups with a special credit card -- which, when used would trip off an alert.
Just follow the money and shut down the merchant account and block the associated bank accounts.
Problem solved. (If anyone actually WANTED to solve the problem..)
Considering that a major motivation is money -- just follow the money and cut it off at the source.
Unfortunately, the source doesn't WANT to cut it off. Google makes billions on malware that fires up AdSense-based popups. Credit cards and banks make billions on transaction fees and charges.
How hard would it be to have an organization whose job it was to order stuff from SPAM and pop-ups with a special credit card -- which, when used would trip off an alert.
Just follow the money and shut down the merchant account and block the associated bank accounts.
Problem solved. (If anyone actually WANTED to solve the problem..)
1. Pay-Per-Click -- a malware writer infects your machine to fire off pop-ups containing pay-per-click ads. (Such as Google AdSense -- which is easily tricked.)
2. Pop-ups that are the same crap sold by SPAM -- viagra or whatever. People buy it with their credit cards -- the malware writes either get a commission (affiliate fee) or just sell the junk themselves, or just pretend to sell the stuff, process the order and vanish.
In ALL of these cases, you have 'willing partners' (Google, Visa, Mastercard, etc.) who turn a blind eye to the source of these mysterious revenues -- or claim that it is 'not their job' to be policing these kind of things.
These days, there are literally THOUSANDS of systems offering 'pay-per-click' for traffic you send them. With these, the infected user doesn't have to buy anything - if they simply click a fake checkbox to close the window, it can redirect them to the vendor site and the malware writer earns money for the traffic.
Commission sales again -- there are tens of thousands of affiliate programs. While the victim still has to buy something in order for the malware writer to get paid -- enough people DO to make it worthwhile.
These things are EASY to stop. What is more difficult is where malware harvests data from the user's system, captures keystrokes etc. This data takes some work to translate into cash -- but considering the price of stolen IDs these days, it isn't hard to justify doing it.
Again, the credit card companies don't care. If someone clones your credit card and makes a bunch of purchases -- when you report it the charges are reversed and the VENDOR loses the money. Seldom, if ever, do the credit card companies ever try to catch the OFFENDER. They don't care -- the merchant is the one who ends up out of pocket.
In one case, someone cloned my credit card and bought a one-year health club membership. (Plus several thousand of other charges.) I asked why they just didn't send someone over or have the health club call them when the idiot to showed up to use the membership -- they said they couldn't be bothered, not their problem, and that it happens all the time.
Last but not least is malware that sends SPAM. Companies marketing crap will pay a lot to have SPAM blasted to millions of addresses. Distributed SPAM relays are also much more difficult to block or blacklist than fixed open relays.
2. Pop-ups that are the same crap sold by SPAM -- viagra or whatever. People buy it with their credit cards -- the malware writes either get a commission (affiliate fee) or just sell the junk themselves, or just pretend to sell the stuff, process the order and vanish.
In ALL of these cases, you have 'willing partners' (Google, Visa, Mastercard, etc.) who turn a blind eye to the source of these mysterious revenues -- or claim that it is 'not their job' to be policing these kind of things.
These days, there are literally THOUSANDS of systems offering 'pay-per-click' for traffic you send them. With these, the infected user doesn't have to buy anything - if they simply click a fake checkbox to close the window, it can redirect them to the vendor site and the malware writer earns money for the traffic.
Commission sales again -- there are tens of thousands of affiliate programs. While the victim still has to buy something in order for the malware writer to get paid -- enough people DO to make it worthwhile.
These things are EASY to stop. What is more difficult is where malware harvests data from the user's system, captures keystrokes etc. This data takes some work to translate into cash -- but considering the price of stolen IDs these days, it isn't hard to justify doing it.
Again, the credit card companies don't care. If someone clones your credit card and makes a bunch of purchases -- when you report it the charges are reversed and the VENDOR loses the money. Seldom, if ever, do the credit card companies ever try to catch the OFFENDER. They don't care -- the merchant is the one who ends up out of pocket.
In one case, someone cloned my credit card and bought a one-year health club membership. (Plus several thousand of other charges.) I asked why they just didn't send someone over or have the health club call them when the idiot to showed up to use the membership -- they said they couldn't be bothered, not their problem, and that it happens all the time.
Last but not least is malware that sends SPAM. Companies marketing crap will pay a lot to have SPAM blasted to millions of addresses. Distributed SPAM relays are also much more difficult to block or blacklist than fixed open relays.
I actually use Google AdSense on some Websites, and I watch the ad content that appears on those sites with interest. I have yet to see any ad content even remotely similar to the kind of problem advertising you claim Google is peddling.
The POP UP that is fired off CONTAINS the AdSense ads. Nothing to do with Google's site.
The pop-up is treated (by Google) as an AdSense affiliate site. In theory, Google should be able to detect that the ads are appearing in a pop-up and not on a real web site -- but either the malware writers have a workaround (such as launching the pop-up FROM a spiderd AdSense site), or Google simply doesn't care.
The pop-up is treated (by Google) as an AdSense affiliate site. In theory, Google should be able to detect that the ads are appearing in a pop-up and not on a real web site -- but either the malware writers have a workaround (such as launching the pop-up FROM a spiderd AdSense site), or Google simply doesn't care.
I've seen many, many people getting their AdSense accounts shut down for violating policy -- which doesn't allow for pages whose primary content is advertising, and would cover advertising pop-ups. Spammer forums are full of people who complain about Google AdSense, calling Google all kinds of unwholesome names, for "discriminating" against them.
Back when AdWords and AdSense were first starting, I had some beer making web sites and Google refused to allow me to use either program for my 'evil' sites.
About a year later, they changed policy and started to allow beer and wine. About another year later and they started allowing hard alcohol.
Now, well, there aren't too many keywords of any type that you can't find ads for.
Google is the same as any other corportation -- when billions of dollars in revenue meet dozens of lawyers -- the halo starts to slip over the definition of what is 'evil' vs. what is just 'good business'.
In any case, tricking the googlebots isn't difficult.
A couple of lines of ASP or PHP code detecting the user agent or IP can present google whatever it 'wants' to see in the pop-ups fired off by the malware while presenting the victim with clickable (and chargable) advertising.
Considering that even the cheapest possible keywords can generage $.50 to $1. per click and some of the more interesting keywords/ads can generate $30 to $50 PER CLICK -- the incentive is definitely there.
About a year later, they changed policy and started to allow beer and wine. About another year later and they started allowing hard alcohol.
Now, well, there aren't too many keywords of any type that you can't find ads for.
Google is the same as any other corportation -- when billions of dollars in revenue meet dozens of lawyers -- the halo starts to slip over the definition of what is 'evil' vs. what is just 'good business'.
In any case, tricking the googlebots isn't difficult.
A couple of lines of ASP or PHP code detecting the user agent or IP can present google whatever it 'wants' to see in the pop-ups fired off by the malware while presenting the victim with clickable (and chargable) advertising.
Considering that even the cheapest possible keywords can generage $.50 to $1. per click and some of the more interesting keywords/ads can generate $30 to $50 PER CLICK -- the incentive is definitely there.
Malware is the head of a very slimy snake.
Malware has grown up from pimply-faced teens doing vandalism to millions of cybercriminals whose sole source of income is related to malware.
In addition to the issues stated in the prior post, let us not forget:
Ransomware: encrypt your data, pay to get it back
Extortion: plant illegal images on your PC, threaten to notify your superiors.
Fake Anti-spyware: When googling to find help, users end up buying fake software, which gives away their credit card numbers.
Bots-for-hire: Cybercriminals install remotely-controlled rootkits so they can marshall the use of thousands of PCs for DDOS attacks. They rent the use of these bots to others.
Malware has grown up from pimply-faced teens doing vandalism to millions of cybercriminals whose sole source of income is related to malware.
In addition to the issues stated in the prior post, let us not forget:
Ransomware: encrypt your data, pay to get it back
Extortion: plant illegal images on your PC, threaten to notify your superiors.
Fake Anti-spyware: When googling to find help, users end up buying fake software, which gives away their credit card numbers.
Bots-for-hire: Cybercriminals install remotely-controlled rootkits so they can marshall the use of thousands of PCs for DDOS attacks. They rent the use of these bots to others.
... any scenario where money is exchanged, it should be possible to track and catch the culprits. Money doesn't move anywhere without leaving a trail -- except in the form of cash.
- Keyboard Shortcuts:
- Prev
- Next
- Toggle
