Ask Slashdot: Who's Going To Win the Malware Arms Race? 155
An anonymous reader writes: We've been in a malware arms race since the 1990s. Malicious hackers keep building new viruses, worms, and trojan horses, while security vendors keep building better detection and removal algorithms to stop them. Botnets are becoming more powerful, and phishing techniques are always improving — but so are the mitigation strategies. There's been some back and forth, but it seems like the arms race has been pretty balanced, so far. My question: will the balance continue, or is one side likely to take the upper hand over the next decade or two? Which side is going to win? Do you imagine an internet, 20 years from now, where we don't have to worry about what links we click or what attachments we open? Or is it the other way around, with threats so hard to block and DDoS attacks so rampant that the internet of the future is not as useful as it is now?
More of the same (Score:5, Insightful)
No-one will "win", and it's not helpful to represent the issue as if it's "winnable" by either side.
Malware, viruses, trojans and other malicious behaviour of yet unheard methods will always be around, and we'll always be inventing new ways of counteracting them. Which will in turn be circumvented, and so it goes on.
Re:More of the same (Score:5, Insightful)
Barring some sort of radical change in priorities that causes the market to accept zero new features for, oh, a (human) generation or more, while vendors put out bugfix releases, 'winning' certainly isn't going to happen by doing conventional stuff; but harder.
If 'winning' in fact occurs, odds are excellent that it will be on some wonderfully dystopian lockdown platform that shrinks the problem space considerably by forbidding basically everything that hasn't been cryptopgraphically blessed by the vendor, sandboxed to hell and back, or both. Naturally, the power afforded to the vendor in this scenario will never be abused.
The future is now. (Score:5, Insightful)
You can already see the shape of that future in Google's Chrome OS. This is a very much "locked down" combination of operating system, browser, cloud applications, and storage. Security updates are automatic and (eventually) involuntary. You are limited to running the software that Google allows you to run, most of which is executed on Google servers. No website Java programs are allowed at all.
Such an architecture provides for maximum security and has the advantage of minimum hardware requirements for ram memory and on-machine storage. It allows for encryption of all communications between your computer and the outside world with mimimum involvement or decison making by the user. And from Google's point of view it represents the perfect vehicle for advertizing in a controlled enviornment. In a sense, your computer has already been hacked (by Google) when you buy it. And they will make sure it stays hacked to their preferences.
The next step will be integration of the computer operating system with the phone operating environment. The two will merge with more software coming from "app stores" and not from the wild. At the same time, the services on the computer will become more integrated with each other so that social media, calendar, voice calls, texting, and social media work togerther and don't work at all with outside software. It becomes a secure walled garden with enough internal features and flexibility to be tolerable to the mass users who are not or can not be responsible for their own security.
Re:The future is now. (Score:5, Interesting)
That model (locked down like ChromeOS or iOS) is already succeeding in the marketplace over more traditional computing models, because it's what most people want. It's safer for them, and they want their devices to "just work".
It's the inevitable end result. Except for some techies, almost everybody I know just wants to surf the web and send pictures to their friends and have that "just work". They have almost all given up on Windows in favor of mobile OSs for 99% of what they do. They sometimes still "have a PC", but don't use it much out of fear of malware, where they feel free to use the tablet, which has the side benefit of a much simpler interface for them.
Market pressure will drive this.
Re: (Score:2)
but don't use it much out of fear of malware
Actually, I think that they don't use their PC much because it's slow, clunky, and doesn't work very well. The number one complaint I hear from those forced to use Windows is that it takes forever to boot.
Not that malware might not be number one if users had a clearer understanding of what it is.
Re:The future is now. (Score:4, Interesting)
The number one complaint I hear from those forced to use Windows is that it takes forever to boot.
As one who uses Windows voluntarily, it's hard for me to relate to this. I typically boot it once a day (after turning it off the previous night), so it's no hardship to spend the couple of minutes it takes to boot on some other part of my morning routine.
My Android phone may be faster to boot than Windows, though I typically leave it on all the time since it doesn't use enough power to bother with turning it off at night. When I do restart it though, the process seems "slow". I think the reason is that I don't have cereal that needs eating or teeth that need brushing at those times.
So where's the hardship in waiting for Windows to boot? It ain't perfect, but boot time would be pretty far down on my own list of Windows complaints.
Re: (Score:2)
I guess a 10 second boot time is long by some standard. There isn't one PC at my work place that takes more than 20 seconds to be ready to work on. I only hear that excuse from bad IT people or IT people with little to no budget which means they are stuck with 7 year old PCs or even Macs. Blaming the OS or the hardware is often just an excuse for laziness.
Any poor integration of any type of hardware or software will always get this kind of response from it's users.
Malicious software and attacks will probabl
Re: (Score:2)
The number one complaint I hear from those forced to use Windows is that it takes forever to boot.
Then they're doing it too much.
It takes about 45 seconds for my desktop to come up from a cold boot to login screen, and I have not yet sprung for an SSD. This is long enough to be mildly annoying, but not nearly long enough to get up and do something else. My laptop takes more like three minutes, but it's a 1.6 GHz E-350 (2 cores). It's still not a huge problem because the desktop just gets put in Sleep mode and the laptop runs continuously (I have several services running on it 24/7 in addition to using i
Re:The future is now. (Score:5, Insightful)
The problem may become winnable if websites cease using infected ad hosts for revenue at the cost of their users sanity and security, let's face in todays internet most infection probably stems from infected advertising.
Re: (Score:2)
Re:The future is now. (Score:4, Informative)
Who's gonna win the war on drugs?
Who's gonna win the war on terror?
Who's gonna win the war on hacking?
Re: (Score:2, Flamebait)
OK, but seriously...
There's been some back and forth, but it seems like the arms race has been pretty balanced, so far.
WTH?!??
Dude, they're able to hacking air gapped computers, install self-concealing malware in BIOS and hard drive firmware, and undermine the protocols, networks, and hardware that makeup our computer systems.
There is *no* cybersecurity. Do you have your head in the sand?
Re:The future is now. (Score:4, Insightful)
This is the slow boiling of the frog. Convincing people that they "want" a lack of control is the key.
But people DO want a lack of control. I want a lack of control in some cases.
I have no interest in working on my car. In fact, not being able to work on my car is a great excuse to pay someone else to do it. But seriously, I wouldn't know what I was doing anyway. I certainly don't want to have to buy tools and teach myself grease-monkery! Lots of respect to those who can do that sort of thing, and I'm happy to throw money at them, I just have no interest or time for it. I would love a car that was immune to breakdowns, you buy it and it runs for 200,000 miles and never needs oil or anything.
To most people, computers are like their car: they just want it to work. A virus is like an oil change or a flat tire, something annoying that maybe they could fix on their own but they'd rather not have to. They really want the computer sealed and immune to breakdowns, and have zero interest in ever tinkering with it. If you could eliminate viruses and Windows-entropy, they'd be thrilled.
So you don't need to convince them. They need to convince you that is what they really want.
It's not a society of simpletons, it's a society of people who have better things to do.
Now I'm not playing devil's advocate. I'm with you, I want full control. That's because I know what I'm doing, and what I don't know I want to learn. It frustrates me no end to be prevented from tinkering. Hell it frustrates me just to have to use badly written software. But my mom doesn't care. The computer is just an appliance for accessing Facebook. It doesn't need to be user-serviceable any more than the sewer pipe running under your lawn.
Re: (Score:2)
I've been on reddit so long it took me a minute to realize I can't upvote you. Maybe not a lot of people here will agree with you, but you've nailed it. I work IT in environments with lots of regular folk and the power and flexibility I crave is a) useless to them and b) the source of the vast majority of their problems.
Re: (Score:2)
That's not at all clear. Mammals still get viruses and infections, and they've been fighting that battle for millions of years. In fact one arguement justifying the existence of sex is that it's to allow multicellular creatures to evolve fast enough to stave off most parasites. I'm not sure I believe it, but it's true that when asexual multicellular creatures evolve they generally go extinct fairly quickly. (Except for bdelloid rotifers...which are pretty small, and have rapid generations, and also enga
Re:The future is now. (Score:5, Insightful)
It's definitely a 'crypto lockdown to make security easier, and possibly even possible' device; and Google hardly encourages you to go forth and GNU; but they at least allow you to. That puts ChromeOS devices well above all iDevices, a fair percentage of Android hardware, and potentially above some 'trusted boot' UEFI systems(depending on whether you can re-key the system or not). It's certainly a good example; but it's far less of an anomaly than one would like.
Re:The future is now. (Score:5, Insightful)
Never mind that the hacker is a corporate entity listed on the stock exchange, they are still hackers. Never mind that they will claim that you agreed to this scenario by buying their kit (as if it will be possible to buy anything else, except similar rivals' kit) - that sounds just like an old style hacker claiming you agreed to their adware/botnet/malware by clicking on their email attachment.
I recently bought an Android tablet. I keep getting a full screen advert for some game pushed in my face without even a clear way to dismiss it. It is a game in the Android app store they want me to buy. It severely pisses me off; but it is not (by their definition) malware, it is "official". This takes place within what would be the "secure walled garden". I would rather take my chances in the shark pool - at least I am in control.
Comment removed (Score:4, Insightful)
Re: (Score:2)
Let's face it the day is probably approaching where we will have near zero control over our computers.
Re:The future is now. (Score:4, Insightful)
but why should a minority of us suffer due to a majority that aren't capable to make their own choices?
How is that not true of pretty much anything that has risk/danger associated with it which is ameliorated by prudence and caution?
Drugs: Many people are capable of using drugs sanely without risking themselves or other people, but because some minority shows absolutely no control we have massive controls on drugs.
Weapons: Many people are perfectly capable of safely owning even very destructive weapons without hurting themselves or others. But because some minority of people do batshit crazy things with weapons, we have a lot of controls on gun ownership and extreme controls on certain types of guns (automatic weapons, etc).
The list is endless. A minority of people are stupid, lack self control and any kind of prudence so we implement controls which address the lowest common denominator, occasionally allowing some people to jump through hoops to obtain slightly more access to something, but often with another set of draconian controls applied.
Re: (Score:2)
FTFY.
Re: (Score:2)
Why should the majority suffer because of a tiny minority who want to do stuff nobody else does?
There will always be hardware for that minority. It might not be as pretty and polished as the consumer stuff, and you might even have to *gasp* build it yourself, but you'll still be able to get it if you want it.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
While arguably Google can be held to blame for you not knowing how to operate your own Android device, you are arguably even more to blame.
For pretty weak arguments, that is. 99 percent of people just don't have the inclination nor desire to root their android devices. Blaming this on them is silly.
Myself on the other hand, I love digging into operating systems and computers in general. One of my favorite parlor tricks is showing people Windows programs running in Linux on my Chromebook. Just to show I can. Or my HP Touchpad that I run Android on. Or my Windows PC that I dual boot into Mint, then run PC applications on it, Hell I even run my
not official (Score:2)
either you bought an already compromised tablet or you installed something suspect from the appstore.
and you can find out the offending app with free programs available from the appstore too, if you really can't remember what shit game you installed that it came with. if you don't have anything showing up on the application manager that you would guess to be the culprit, then your tablet came with the malware to begin with.
you know what's funny? slashdot runs apps on the mobile side that occasionally just f
Re: (Score:2)
Chrome OS is nice for some types of device, but won't replace workstations any time soon. Some tasks just need more power and flexibility. There is room for both, just like there is currently room for many different workstation operating system, or both laptops and tablets etc.
Re: (Score:2)
It's already replaced workstations for half the office employees here. All of the Sales staff have been moved over to Chromebooks completely.
Re: (Score:2)
And what happened to productivity??? Down down down I bet.
Re: (Score:2)
Stayed the same. IT productivity went way up.
Re: (Score:3)
I think you are correct but I hope you are wrong. The trouble with software not coming from the wild is it means there era of the hobbyist programmer is over. Which I think will in many ways also mean the end of innovation. Right now the app stores are full because there are enough people who already had the skills to create apps. They have those skills because they obtained them in a time where the barrier to entry was low. They had a PC and it was programmable and programmer friendly. So if folks th
Re: (Score:2)
Isn't this complaint similar to someone in the 1800's complaining about how the big industrial machines make it so that hobbyists who craft a small engine in their barn are no longer competitive, or in the mid 1900's complaining about electrical technology, or the 1980's complaining about circuitry, or ten years ago you couldn't build a competitive laptop? We have been in a golden age of hobbyist software since the personal computer allowed large numbers of people to own computers at home, but maybe that te
Re: (Score:2)
Isn't this complaint similar to someone in the 1800's complaining about how the big industrial machines make it so that hobbyists who craft a small engine in their barn are no longer competitive
I think this is different, or maybe i just see it that way being closer to it. Big industrial engines did not replace small barn built engines, the supplemented them. The farmer still needed a crude well pump and could not afford to have some 2 ton lump of iron shipped from back east. Similarly that barn mechanic could find a place servicing those big industrial engines in the field, they were not designed to lock him out.
Even today while the hobbyist isn't generally machining his own cylinder header any
Re: (Score:2)
The trouble with software not coming from the wild is it means there era of the hobbyist programmer is over.
There will always be hobbyist programmers. We are slowly transitioning from the Wild West (a free for all where anyone can participate) to a mature technology (a cartel of established players), but that doesn't mean hobbyists will go away.
Hobbyists are their own worst enemy. Crackers are just hobbyist programmers using their skills for evil. You give freedom to the general public and you're going t
Re: (Score:3)
This.
What we will see are vendors conflating locking the device away from its user with anti-malware protection... two different things, but both are considered "security".
I will also not be surprised to see more remote monitoring, where if a device reports that it was jailbroken or rooted, the cellular network blacklists that device's IMEI.
The future is now. Look at the latest generation of consoles as what we are going to have in our pockets and on our desks. Consoles have no issues with malware and a 0
Re: (Score:2)
Barring some sort of radical change in priorities that causes the market to accept zero new features for, oh, a (human) generation or more, while vendors put out bugfix releases, 'winning' certainly isn't going to happen by doing conventional stuff; but harder.
Pretty much says it all. The population of exploitable software, design, and hardware bugs is clearly quite large, and is unlikely to decrease much as long as "capabilites" grow and grow and grow.
We live in a world dominated by wishful thinking then
Re:More of the same (Score:4)
Actually, it is not impossible to secure a computing system. So in the end I assume the OSs will win.
Re: (Score:1)
I have a brick. It's pretty secure.
Re: (Score:2)
Re: (Score:2)
I likely have a new laptop before you have cracked that old one :D
My Thought (Score:2)
Re: (Score:3, Interesting)
Re:More of the same (Score:4, Insightful)
Re: (Score:3)
We'll win the malware arms race somewhere about the time we win the wars on drugs, crime, and proverty.
The only time you can "win" an arms race is if the other side becomes exhausted. Such wins are often pyhrric.
Re: (Score:2)
well, "they" can "win".
I mean, big corps can win and somehow manage to put in a system where you can't run applications you want to run on your pc.
as long as you can run whatever program you want, there will be malware. and probably a little while after you can't run what you want but hackers can.
Re: (Score:2)
Re: (Score:2)
Make everyone reboot into a clean OS every 30-60 minutes, where the "old used OS" is trashed. At least that eliminates the OS side of contamination.
Commander Adama (Score:2)
The people most likely to release a rogue AI will be malware people since they have no reason to hold back. At some point the AI will self evolve and then we get skynet. Only Commander adama will have old enough tech to escape our cyber overlord's long reach.
Is the government helping or hindering the future (Score:1)
At the moment the NSA & GCHQ, and other agencies [arstechnica.com] are at the behest of politicians [theguardian.com] that want to see all our communications are working against the security industry. If this continues I see a bleak future. But if we manage to get these organisations to support security I see a much better future.
One Solved (Score:1)
trojan horses
The Greeks won that particular arms race.
Re: (Score:2)
The Greeks won that particular arms race.
Yes, but they had to resort to social engineering.
That I don't know bit the loser is... (Score:2)
This one's for the general population (Score:2)
This arms race will go for the users. The reason being that there's too much money in play to allow the opposite.
Whatever has to be done will be done. If it becomes such a problem that the USA has to invent a "war on hacker" and start "bombing by IP", it will.
But we're talking a long, long time from now. Like many, many... weeks.
Re: (Score:2)
Whatever has to be done will be done
Whatever HAS to be done is already being done. Users are en masse accepting the level of risk as it exists today, so there is no reason to do anything more on the security side. We accept a certain amount of fraud and other crimes in the rest of the world, we will continue to accept this in the Internet world as well. Diminishing returns mean we will never pay the price to pursue eliminating the last 1% of online crime.
Re:This one's for the general population (Score:4, Insightful)
I'm inclined to think the opposite.
All of the companies who want to sell us products care only about that. They don't give a damn about the security of those products.
Until consumers wise up and insist on security, or corporations carry some liability for failing to do that, then corporations will just push stuff out the door with half assed security.
It can't just be a war on hacker. It has to also be a war on products with utterly crap security which never gets fixed. Because this Internet of Stuff is shaping up to be some of the biggest security holes imaginable.
Most consumer products do terrible stuff like transmitting passwords in the clear. Chasing down hackers who exploit incompetently/lazily written products can never overcome that.
Re: (Score:2)
To follow that, the security problems we're discussing might not even be on the end user's devices themselves.
The biggest holes seem to be with the corporations data security (or lack thereof) and willing sharing of personal information to even less secure third parties.
If you're worried about identity theft, malware from some shady website may not be as big of a concern as a data breach involving thousands of customers.
Nobody. And NSA etc. sabotage makes things worse (Score:5, Insightful)
It is bad enough as it is with most software being insecure. Sabotage only makes things a lot worse. And for what? A zero-success track-record against terrorism? Industrial espionage? Having dirt on any possible future and present President, Congress Man, Senator?
Re: (Score:2)
depends (Score:2)
As long as consuming content over the internet does not require downloading and running code, it will stay relatively safe.
Re: (Score:1)
As long as consuming content over the internet does not require downloading and running code, it will stay relatively safe.
Or as long as you didn't communicate using OpenSSL, used Bash(door), used Linux glibc (ghost), etc.
Re:depends (Score:5, Insightful)
You mean like browsers and Javascript? In that case 99% of the population has lost already. The pwn2own competition results are rather miserable [wikipedia.org]. The part that /. probably doesn't want to hear is that the primary effect is centralization and gatekeepers.
Take Usenet for example, it got overrun by spammers and trolls because there was no real way to block them and the few moderated groups basically meant a few people were in control of the discussion. Instead we moved to forums, where you could use CAPTCHAs and various other tricks to block mass sign-ups, moderation, flagging of abusive users and so on. They're not perfect, but they work okay.
Why do so many people use Facebook instead of email? Same thing, much less SPAM. For the longest time, Linux users hailed the repository model over the Windows "download random exe from the Internet" model. Then Apple took it to the extreme with the "one store to rule them all" and suddenly it was a problem. Even on Android you have to pass by huge warning lights to enable third party repositories and Windows Phone has as far as I know joined Apple in the "one store" model.
My guess is that they'll push it to the cloud so all the application code runs on a server and they just need to lock down the browser, more per user&app sandboxes, more difficult time running unsigned software and more users with computers that need Apple's, Microsoft's or Google's sign-off to run an application. The average user simply doesn't understand the micromanagement involved, same way users won't use NoScript when browsing the web. They'll "outsource" it.
Re: (Score:2)
I don't think it's so bad. The pwn2own competition is notable primarily for the ridiculous levels of skill required to actually beat modern browser security (note: I do not include the still unsandboxed Firefox in this category).
What's been happening in recent years is that more and more bugs are being found by whitehat hackers first, with the complexity and diffic
Usenet (Score:2)
And the irony is the spammers did such a good job of forcing people off usenet that there were so few people left the spammers gave up bothering and moved on to more lucrative enviroments to screw up. The upshot is that usenet is actually quite usable now, though NNTP servers are slowly disappearing sadly.
No-one's going to win (Score:4, Interesting)
Which side is going to win?
What makes you think it'll ever be over?
Here's a sports analogy [youtube.com], if you need one.
(the radio version was better but I couldn't find it)
Re:No-one's going to win (Score:5, Funny)
I'm sorry. This is Slashdot so we'll be needing a car analogy.
Re: (Score:2)
I'm sorry. This is Slashdot so we'll be needing a car analogy.
Demolition Derby?
idiots will lose (Score:2)
that's all we can be certain of really.
The good news is that the public are becoming more educated on the subject. I've noticed it over the years. They're getting more mindful about not sticking their dicks in electrical sockets... even if the buzzing sensation is momentarily enjoyable.
Re:idiots will lose (Score:5, Interesting)
Right with you on the javascript thing. I use noscript passively everywhere. The internet is just a nicer place when random javascript has to have permission to run at all.
I only run what I have to run.
I do the same thing with cookies. If a site doesn't need cookies then I don't let it store them on my machine. And third party cookies? ha. Basically never. I go through most of the internet like a ghost. They can track my IP I guess but that is a far cry from loading me up with tracking cookies or insane amounts of nested javascripts.
Have you ever seen how they're set up? They put one inside another inside another inside another. They're like those fucking russian dolls only worse. You'll have five or six nested inside of one script and then each of those could have two or three scripts inside of it and so on. It is insane. There needs to be some sort of passive standard that limits scripts to the host domain. I don't understand why you'd run foreign scripts. There's no reason for it. ANd if you REALLY need to, then fine... let people right click something to add an exception but if most people don't do that the web admins will craft less retarded sites... and hopefully the ad people will be less obnoxious.
Re: (Score:2)
Why do I care if it knows I am running windows 7, Firefox version whatever, and have 2000 fonts installed?
What is more, if I really cared about that, I could install a plug in that told websites I was using a different OS, browser, etc. But that isn't private information in my opinion. I don't see how it identifies me.
As to why the feature is in place, it happened in large part because browsers interpret pages differently and often webpages have to have different versions to run properly on different browse
Save the LOL Cats! (Score:1)
On the plus side, global warming will not be a problem because all economic activity will cease and no fossil fuel will be consumed.
Japan and the US will be particularly hard hit. Parts of the EU as well. It's more uncertain what will happen to emerging economies like China, India and Brazil. LOL and/or cats is such a world wide phenomenon that no place will escape unscathed.
No matter what the Amazon will start
We've all already lost (Score:1)
Both sides will win (Score:2)
It's the same as with two teams of lawyers battling it out for two parties: in the end only the lawyers really win.
These hackers on both sides basically just cause employment for each other, and therefore both sides win, and all those not involved are the biggest losers.
I know who's going to lose (Score:2, Offtopic)
Two things:
- the US has accelerated the development of malware and lifted it to a new level.
- the US has lots of advanced technology that's vulnerable to malware.
So if there's a cyberwar between backward North Korea and the US , who you'll think will lose?
The NSA is going to win (Score:3, Insightful)
Since the NSA seems to be the most heavily capitalized producer of both malware and mitigationware, I think the question of which side is going to win is a bit irrelevant. Yes, they will win.
Re: (Score:1)
Open source will win (Score:4, Insightful)
The open source software world will win in the long term through sustained application of the continual improvement process. There are millions of "us" and only thousands of "them". The most vulnerable in five years time will be closed systems.
Re: (Score:3, Insightful)
>There are millions of "us" and only thousands of "them".
The people auditing OpenSSL after the Heartbleed incident would like a word with you...
(By the way, thank you. Next time some /.er says nobody here ever "really" believed in the whole "many eyes makes all bugs shallow" fallacy, I shall point them to your post.)
We will all lose (Score:2)
The internet will be harder and harder to use, it will be a more dangerous place every year, and the skills you'll need to use it without being robbed or blackmailed will increase. I suspect there will be parallel internets, usable by tech savvy people only, as a layer on top of the net as we know it, similar to the dark nets we see now. 20 years from now, most of us here will be able to use the net in a more or less safe way, whereas a majority of people will not.
Two Extremes Will Win (Score:3)
Minor infections will become less common, as the attack surface area is reduced and mitigated over time. New APIs and interfaces will be created, creating N+1 standards, but they'll be more secure than the older ones they supersede. For example, Flash and ActiveX are slowly going away in favor of more secure alternatives. How many critical html5 vulnerabilities are found in your browser of choice compared to critical Flash/Java Web Client vulnerabilities? Open source is a big part of it, but security being baked into the design rather than being tacked-on after thousands of vulnerabilities have been written into legacy code is bigger.
On the downside, when you DO catch an infection, it'll be nasty. New methods for hiding in firmwares will require removing chips and re-flashing them, and unless open firmware takes off in a big way, in practice this will mean replacing hardware very carefully so it doesn't infect the new hardware. It will be virtually undetectable, and have countless methods for defeating airgapping, virtual machines, decompiling, reverse engineering, and antivirus software. So once your machine is owned, it'll really be owned.
The best thing that can be done is to systematically eliminate every motivation to deploy malware: make spam unprofitable, harden SCADA to eliminate sabotage, mature altcoins to not benefit from stolen processing cycles, and regulate online advertising so ad injection is pointless. Also, rework the protocols that allow DDOSing, and require actual two-factor authentication for financial websites/transactions. Eventually, I think malware will be rare/invisible enough that only computer scientists will know about it, ordinary users won't worry about it.
Comment removed (Score:4, Funny)
Malware ads (Score:1)
Security vendors and malware detection .. (Score:1)
This document from 2005 sets out why relying on detecting malware doesn't work. ' The Six Dumbest Ideas in Computer Security [clemson.edu]'
"Do you imagine an internet, 20 years from now, where we don't have to worry about what links we click or what attachments we open? Or is it the other way around, with
Re: (Score:2)
Re: (Score:2)
Nobody will win, but someone will (Score:1)
My answer is: C none of the above.
There are third parties who are going to come out winners here.
- nation-states that use/abuse the hackers (think China, the NSA, and such who subvert botnets, who already know who-is-who. Companies who want to hurt the competition in illegal ways and not get caught can sponsor hacks of competitor flagships.)
- hardware/software vendors who provide (mediocre) protection against unforseen threats. (The same fear-based motivation for the ignorant masses is used by politicians
Internet3 (Score:2)
This is indeed a winnable race (Score:2)
Clearly financial gain is THE prime motivator, although notoriety is a close second - mostly because it leads to money.
The war, though, is certainly winnable. The idea of certified manifests is getting close to the solution - there is certainly more work and thought to be applied to that though.
End user expectation management is in order too. The days of downloading software are coming to a close. I
AVP - Anti-Virus Protection or Alien vs Predator? (Score:2)
Government and inept companies ... (Score:2)
Our biggest challenges with security are asshole governments who want to undermine security so they can spy on us, and incompetent companies who sell us insecure products because they just want to push some bauble out the door.
As long as we have these two problems, the malware folks will always win, because we will not have the tools required to keep them out.
If spying governments and inept corporations are the weak links, we're pretty much screwed.
So the next time some asshole in a spy agency says we shoul
Who will win? (Score:3)
Neither. The malware war, like tic-tac-toe and global thermonuclear war, is unwinnable.
Who's Going To Win the Malware Arms Race? (Score:2)
I'm afraid (Score:2)
When the first bots started I wish the internet providers had taken steps to complet
Neither side wants to win (Score:2)
Virus and antivirus suppliers have a symbiotic business relationship, each requires the other to continually make slow progress, rendering their old product useless, so they can sell their new product. If either side 'won', then they would cease being able to sell upgrades, their business model requires then not to win.
Moore's Law (Score:2)
Computers roughly double in power every two years.
That means every two years, malware can be twice as destructive.
Security constantly improves, but it doesn't improve as fast.
Measured as a percentage, the amount of damage being done will go down.
Measured as an absolute, the amount of damage will go up.
Re: (Score:2)
But you can do so much more sloppy programming with a more capable computer.
OTOH why does twice as much capability mean twice as much malware? Why not four times as much ? Or nine? or sixteen? Or maybe the malware to capability ratio is logarithmic
Nobody Wins (Score:2)
It is going to get to the point where the only viable solution is a trusted sandbox. It will be something along the lines of a TPM chip to make sure that the OS image / boot loader has not been compromised, combined with a white listed set of applications and trusted content sources.
People are either going to give up computing freedom for security, or they are going to become desensitized to and accepting of the fact that their "private / personal data" is neither.
Re: (Score:2)
> It is going to get to the point where the only viable solution is a trusted sandbox. It will be something along the lines of a TPM chip to make sure that the OS image / boot loader has not been compromised, combined with a white listed set of applications and trusted content sources.
Maybe .. But seriously, it's not clear that this point that a trusted sandbox is actually achievable even in concept, much less in practice. Nor is it clear that anyone other than some classes of users who are forced by la
Re: (Score:2)
Nor is it clear that anyone other than some classes of users who are forced by law or employer dictate to use a trusted system actually would do so. No or very restricted email, social networking, etc.
This is the environment that I work in. We use a combination of Citrix and VMware 'non-persistent disks' to provide a locked down environment that reverts to a clean, known good configuration every time a new session is established. We have to maintain that kind of environment because we work with sensitive
Technology License (Score:2)
People, i.e. Joe Public, don't understand what a massive gift technology is to either enslave or free them. In the cyber era technical folk will be both revered and feared because people don't invest in the critical thinking skills required to be responsible netizens, frankly browse here at -1 and see how many pointless annoying trolls there are. Perhaps people should have to be qualified and prove they are responsible enough to use the net.
The Information Technology arms race should have always been a sta
Re: (Score:2)
No need to type that "over the internet" part.