In zombies we trust

In zombies we trust

Summary: * Ryan Naraine is on vacation. Guest Editorial by Dan GeerWhen the Internet was young, the design assumption for electronic commerce was clear: The client initiated the connection from a trusted machine and needed to be assured that the server side was not an impostor.

SHARE:
TOPICS: Security
27

* Ryan Naraine is on vacation.

Guest Editorial by Dan Geer

Dan Geer -- managing riskWhen the Internet was young, the design assumption for electronic commerce was clear: The client initiated the connection from a trusted machine and needed to be assured that the server side was not an impostor. This is how we got the general design of SSL -- the browser would check that the credential of the server was valid and the transaction itself would be an encrypted conversation between a client who trusts himself and a server newly shown to be trustworthy.

Would that it were still so simple.

A little over a year ago, I wrote an editorial where in back-of-the-envelope style (.pdf) I estimated that perhaps 15-30% of all privately owned computers were no longer under the sole control of their owner. In the intervening months, I received a certain amount of hate mail but in those intervening months Vint Cert guessed 20-40%, Microsoft said 2/3rds, and IDC suggested 3/4ths. It is thus a conservative risk position to assume that any random counterparty stands a fair chance of being already compromised.

We already know, through various published numbers, that amongst people whose computers have at least one infection that the average number of infections is four. We already know that amongst people who are being watched by a key logger that at least 10% of them have a second keylogger. We already know a lot of things of this sort. This parallels the real world where people who get venereal diseases tend to get more than one. The reason is simple, the infections -- computer or cellular -- are side effects of behavior and consistent behavior tends toward consistent results.

So, going back to the design framework of early electronic commerce, one assumed that the initiating client and the responding merchant server were safe, only the Big Bad Internet was not. However, if you are a merchant and I am right, a large portion of the clients who are calling you up today are infected. If you are the sort of merchant who really, really likes your clients to establish login names, passwords, and all the accoutrement of a formal relationship, your merchant software will be quite regularly kissing some infected machines on the lips.

So here is a theory; there are two kinds of people out there: Those who always say "Yes" and those who always say "No." Those who always say "Yes" are eventually infected. Those who always say "No" may escape infection. As a merchant, what are you to do, especially as the point of most client infections is to use the infected clients to get to you? If you do nothing, then you end up choosing which of these two phone conversations you have:

Customer: I did not buy that stock. Merchant: You are an idiot.

-or-

Customer: I did not buy that stock. Merchant: We'll make it up to you.

Now the merchants, being big boys and girls, can do whatever they like though they generally choose Option B. However, as the cost of "We'll make it up to you" mounts, we security people inherit a design choice that is the point of this essay.

So, without further buildup, here's the punchline: Contingent on the premises that (1) there are the always-Yes sorts and the always-No sorts, and (2) that as a merchant your opponent is after you, then purely as a matter of rationality we should design merchant systems to do this:

When the user connects, ask whether they would like to use your extra special secure connection. If they say "Yes," then you presume that they always say Yes and thus they are so likely to be infected that you must not shake hands with them without some latex between you and them. In other words, you should immediately 0wn their machine for the duration of the transaction -- by, say, stealing their keyboard away from their OS and attaching it to a special encrypting network stack all of which you make possible by sending a small, use-once rootkit down the wire at login time, just after they say "Yes."

If they say "No," then you presume that they always say No and thus they are likely to be sharp enough that they are not infected and you can proceed with a transaction in the normal way -- a secure way, of course, but one that does not  involve 0wning them up.

So, Dear Reader, if you want to comment on all this, comment on whether the two kinds of people is what you see and whether to do business with an already compromised host it is or is not wise to take advantage, asking permission, of course, of them further. Done right, there is little doubt that this is net risk reducing...

* Dan Geer is VP and chief scientist at Verdasys and principal of Geer Risk Services. He published a 2003 paper arguing that Microsoft was a monoculture; he was fired the day the report was made public.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

27 comments
Log in or register to join the discussion
  • In microsoft fools trust

    Their junky, bug filled code is to blame for all of these woes.

    The incompetent manner in which they develop and test their so-called
    'operating system' has built an empire of bloated security application
    vendors, with no incentive to improve as it may hamper the money train's
    momentum.

    microsoft's idea of good security is a pop up window asking the user "YES
    or NO" to install dozens of crappy plug-ins.

    Then companies foolish allowed microsoft into the server rooms, allowing
    bugs and zombies to spread even faster. But this created a whole new level
    enterprise security cash cow for vendors.

    And the PC techie's ;) fall at microsoft's feet, asking for more punishment
    so they can continue to write useless drivel about 'going home for the
    holiday's' to fix family's malware infected PC's. Or about how microsoft has
    suckered you poor fools into believing five different Vista's is really a
    'choice'.

    A choice all right, "How may be take your money and infect you today?
    Take your pick!"
    NoPumpGas
    • Yo, moron....

      Hey You no pump gas?.


      You no have brains either!!!! If you can only blame a vendor no matter whom it is then you have no business being a tech and that?s only if you are one. And you are most likely a poor one at that! I can get a bufoon who can do a better job of protecting a computer than you can! People who blog and blame vendor?s are insecure, immature, and mostly brainless twits! Get a life?..
      fredfarkwater
      • Touched a nerve?

        I don't remember him saying he was a techie, so why try and ridicule him as though he was one? That is a strawman argument and as soon as you use one you have failed the argument because you are only arguing against yourself.
        Bozzer
  • A slight problem

    You have presented a black-white fallacy. There are a significant subset who say NO unless they are at a bank/reputable web retailer etc.... They change their NO behavior to YES when presented with the option for additional security.

    I suspect that you want to throw the root kit at those who disregard the security measures. And you're right when you say that some people will always hit YES to make the box go away. So you will want to throw the root kit at those who hit YES.

    So, umm, guess what I am saying is that you will ALWAYS want to send the root kit to those who say YES and those who say NO.

    Instead of a once-use root kit, maybe you need a browser plugin (ALL BROWSERS NOT JUST IE, thanks) that will control the session between the bank/retailer and the keyboard/video card.
    mtgarden
  • Sounds like someone has a point to make, ha.

    Well the previous comment just sounds like a complete rant on something he doesn't like. I do recall Apple releasing a big update of 40-50 patches. I would expect every company besides Microsoft to not have these patches because their code is secure as ever when it leaves the Apple compound or Linux factory. I guess we all forget that Microsoft has a huge red target on it, while these others have enjoyed a day at the beach for so many years. Honestly I can't wait to see the change some day so we can all revisit these worthless accusations that will ring true for the next guy, but you won't see me say its crap code. Advice to everyone, to avoid getting infected try staying away from the PORN sites and downloading songs off limewire and clicking every google response you get.
    OhTheHumanity
  • only two kinds?

    Dear Dan,

    Why do you pre-suppose there are only yes-men and no-men?
    Prior to reading your article (which I do think has influenced my opinion btw), had I been presented with that super-secure screen, I would have looked for a but that would tell me more. If they didn't have one, then I would most assuredly say no. But on the off chance I might learn something, I'd look for more info...

    Why shouldn't vendors "wear latex" with all customer connections?
    ridingthewind
    • Missing Button

      Looks like they forgot about the "maybe" button?

      Actually, if the OS and browser were designed correctly, the site would not be capable of providing that option. You could ask "Yes" or "No" all you want, but the keyboard-routing code would never be executed -- or else, it would be restricted to the browser anyway.

      Furthermore, in those cases where the code was presented as a downloadable program, if the user permits just anyone to install it, then actually *runs* the code...

      There really isn't much the site owner can do about this problem. This is just another instance of Stupid User Syndrome.
      fde101
  • How can you tell this is fear mongering?

    When you, ahem, misrepresent the statistics you display.
    [i]I estimated that perhaps 15-30% of all privately owned computers were no longer under the sole control of their owner. ... Vint Cert guessed 20-40%, Microsoft said 2/3rds, and IDC suggested 3/4ths. It is thus a conservative risk position to assume that any random counterparty stands a fair chance of being already compromised.[/i]

    Microsoft says 66% of all Windows machines are in botnets? Really? No, of course not. Following the link in your article and then [url=http://www.eweek.com/article2/0,1895,1974620,00.asp] one more [/url] we find the source of you "statistic":
    [i]Of the 5.7 million infected Windows machines, about 62 percent was found with a Trojan or bot.[/i]

    Combine this with:
    [i]On average, the tool removes at least one instance of a virus, Trojan, rootkit or worm from every 311 computers it runs on.[/i]

    and we can revise your statistic from 2/3 to 2/1000. But what is 3 orders of magnitude between friends?! You wrote the equivalent of: [i]50% of factory fresh iPhones were bricked in the most recent update[/i] when the truth is that 50% of [b]bricked[/b] phones were [url=http://www.engadget.com/2007/10/01/poll-did-you-upgrade-your-iphone-to-firmware-v1-1-1/] factory fresh and not hacked. [/url] Huge difference.
    NonZealot
  • Buy a PC with windows and get infected

    All PC come with some form of trial AV protection, but Microsoft
    products are so flawed that not even pre installed AV/Spyware
    can stop a product so poorly designed.

    This report clearly illustrates how Microsoft has damaged the
    internet as we know it:

    http://www.secureworks.com/research/threats/spamthru-stats/
    NoPumpGas
    • Buy a PC with windows and get infected funny to me

      Buy a PC with windows and get infected funny to me i have never been infected in the 23 years i've been computing.

      i'm sorry if you don't know how to use a windows pc with out getting infected.

      you never trust anti-virus by it self it's common since.

      i would tell you how not to get infected but you are an AMBer so you don't use windows and are so much smarter than us anyways ;)
      SO.CAL Guy
      • Touched a nerve?

        The reality of the matter is that it is easy for a windows PC to get infected regardless of how glib you can be with comments such as

        "i'm sorry if you don't know how to use a windows pc with out getting infected."

        I don't remember him saying he doesn't know how to use a PC without getting infected. So why formulate an argument against someone based on something that you yourself made up?

        You do realise that the only person you are arguing with is yourself?
        Bozzer
        • You're not a person

          you're a parrot... What? Did you read the first chapter of arguements for dummies and decide to test it out here on these forums? Thats the second time you have used that line, and the second time you've used that incorrectly!!! Whats the deal with you?!?! Idiot!!!
          samoanbiscuit
  • A very good Practical aproach to the problem

    The only concern I would have is that some individuals who are informed about security and the issues arising when prompted about a secure option for a transaction, (this would be after verifying the authenticity of the site with tools like McAfee SiteAdvisor, netcraft, ASnumber resolution etc) would most probably say yes if they did not fully understand the implemented technology. This would be based purely on trusting the other site after ascertaining that they are who they claim they are.

    In short, I would suggest a brief description as to the secure feature using a once rootkit installation process. This would inform informed users exactly what is going on. The rest of the users that you allude to would still most likely press Yes for they wouldn't understand the Mumbo Jumbo displayed anyway.

    I think your idea is a good one to have as added arsenal in this security duel.
    goxk
  • RE: In zombies we trust

    Uh, am I really the only one that thinks 'crackpot'? First of all, let's avoid the argument of ethics, law and morality of your breaking into my machine. How do you propose to:

    "by, say, stealing their keyboard away from their OS and attaching it to a special encrypting network stack all of which you make possible by sending a small, use-once rootkit down the wire at login time, just after they say ???Yes.???"

    Through a website? First of all, you're talking about installing a *network stack* through a *webpage*. Thats ring-3 to ring-0 via HTML?! Am I even supposed to take you serious at this point?

    I mean seriously in what world is this even a moderately realistic solution? For starters, why do you as the vendor even care? You're covered from fraud either way.

    So yeah, neat idea, but please, seriously- go back to Missouri or whatever log cabin you climbed out of and try your shot at being an astronaut or whatever was next on your list after 'computer security blogger'
    dfgdgdfgdsfsdfsdfdsfsdf
  • RE: In zombies we trust

    You never considered the case of of people who say yes sometimes and no sometimes. Given probabilities of guessing yes "p", You looked at the special cases p=0 and p=1. How does your system deal with intermediate values?
    kbkakbka
  • A more effective solution?

    I like the idea of trying to figure out whether a user is an idiot and basing trust on that. But I am not sure that the heuristic of just asking them if they want more security is adequate to make that judgment.

    I read a proposal to detect whether the user has visited any known malicious sites by checking their browser history with a CSS trick and thought that was promising:

    http://www.ravenwhite.com/files/rhd.pdf

    What do you think?
    haruspicator
    • Are you kidding me?

      In this age of concerns about eroding privacy you are advocating that I let a merchant examine my browser history? Sorry, dude, what happens on my machine is NONE of ANY merchant's business. Just like they don't let me browse THEIR machines to see if there are any stray goodies I can use/exploit/record, I don't think they should be allowed to tiptoe through my machine because I MIGHT be infected. What's next, government agents checking for naughty e-mails, or evil political opinions during by on-line shopping sessions?
      fionncreagh9
  • Security = Inconvenience

    Unfortunately, a lot of the very users that get infected have the notion that security = inconvenience. While this is often true, these same users often have the attitude of "it can't happen to me" or "I don't have anything important enough to secure", and will take risks without understanding them or the consequences to other users.

    So the very users that you want to say yes will probably be likely to deviate from that behavior just because "secure" is mentioned.
    sdaugherty
  • So what about us smart users...

    So what about us smart users who either say yes or no discriminately, after analyzing the issue and making an informed decision? you seem to assume that there arn't any of us out there. when my firewall asks me if Firefox can access the internet I say yes. when it asks me if sub7 can access the internet I say no, and then promptly format and rebuild. thats the way it's supposed to work.

    oh and you can keep your rootkit. I won;t deal with your company if that is how you do business.

    and how arrogant are you to assume that most client infections are targeting you (or other e-tailers)? 2006 & 7 were all about Trojans, most of which stole your password information. that targets the user, not you. or are you opining that you lost 1 transaction to fraud, while the user who's vital statistics are now available in any russian market, is simply collateral damage?

    I'm sick and tired of companies making me lower my defenses, so that their self-serving security measures can work. you are part of the problem.
    doas777
    • Part of the problem . . .

      Amen to this. I am currently fighting a (probably) losing battle to keep my machines free of infection and now a merchant site wants to download a rootkit onto my machine? I don't care if I'm one of your dumb users or a smart user, enough press has inflamed the worries about rootkits to make almost anyone refuse the "offer" of "added security" at the price of downloading a "one-use" rootkit. Sorry man. I don't believe in a one-use Kleenex. One-use software is even more unlikely.
      fionncreagh9