A Revolution is the Solution
I'm seriously going to start writing how-to blogs that are directed at large sites explaining how to properly fight spam and whatnot.
Having to blog about the Quicktime / MySpace thing yet again has left me shaking my head.
/methinks the good guys are doing pretty good nowadays. 
I'm guessing the comment was taken out of context. To me, the linked NYTimes article is the sort of FUD used to set the stage for persuading the sheeple to let the governments have total control of the Net. At the same time, we have big telecos and friends arguing to end anything resembling Net Neutrality. "Don't you see how we can make this problem go away if you just let us...?"
I've been reading about parallel protocols to replace the current Net, to sort of abandon the overrun position to the enemy, maybe even scorched earth style, and start fresh.
"Volunteer-driven initiatives such as MIRT, PIRT and Shadowserver are giving people who thought they might be safely tucked away in obscure pockets of the net cause for concern. We still have an endless supply of forums and websites providing education, assistance and clean up for free."
I think that's exactly the point. In a 'safe' Internet, you SHOULDN'T have zillions of forums dedicated to malware removal and assistance. Sorry, I'm with Gadi Evron on this one.
But Gadi is saying the war to *make* the internet safe was lost long ago - he's not making any claim to what the internal make up of a "safe" internet would be.
Are those groups mentioned above NOT making - and indeed helping to keep - the internet "safe"? Of course they are, irrespective of whether or not a "safe" internet should ever require them.
Wait, the streets aren't less safe purely because they have policemen on them entrusted with the task of keeping law and order. the "war to keep our streets safe" is only lost if the people keeping those streets safe go away. Nothing is 100% safe and secure, from the PC in your living room to the backdoor of your house.
its exactly the same for the internet.
how is something less safe because there are people keeping an eye on things? yes, in an ideal world, we'd all love there to be no people out there causing problems for the rest of us (and so no need for anyone to protect us from them), but its completely unrealistic to say the "war to keep the net safe is lost" because we have people hunting down bad guys. these individuals are in every walk of life both online and off, and the only solution IS to have these people around working to keep us safe. Gadi is wrong - the war to "keep the net safe" is ONLY lost when the people working to protect us, from the security companies to the forum helpers give up and go home.
I think the point here is that we're fighting to remove malware from systems that were already compromised, and MILLIONS of systems get routinely compromised. A certain OS gets routinely exploited by bad guys and cleaned up by its users, that doesn't make it a *safe* OS. Similarily, the Internet is not a *safe* environment now, it's an *unsafe* environment that's desperately fighting to get back on track.
Also, don't think for a second that the people who go to forums and ask for help are all the ones (or nearly all the ones) whose machine has been compromised. They're nothing but a small fractions of them. Many users (most users) either don't even realize they've been had, they realize too late, or just don't know where to go.
"Similarily, the Internet is not a *safe* environment now, it's an *unsafe* environment that's desperately fighting to get back on track."
Whether the net is classed as safe or unsafe still doesn't change the fact that Gadi said the fight to *make* the net a safer place has been lost. While people are still battling the crap out there, regardless of the numbers they're up against, he simply cannot claim the fight to *make* the net safe has been "lost".
I don't get it. How is the fight "lost" when they're still fighting?
He said the war to make the Internet safe (not safer) has been lost. He certainly didn't imply that we should all give up and go play golf or something.
But Paperghost, I don't see how you can see anything wrong in that statement. Yes, we're still fighting, but we're fighting to take the Internet back, not to keep it "safe like it is".
There's plenty of parties one can blame for this, but the malware should have NEVER become an industry like it's become.
"He said the war to make the Internet safe (not safer) has been lost."
I just advised someone with a new PC to run under a limited account in windows, amongst a hundred and one other things. Thats somehow not trying to keep someone "safe" on the internet? Thats somehow not classed as fighting the "war" to make the Internet "safe" because Gadi Evron already said we already lost it long ago? How? Why? Do I not count because I'm not part of the elite club of security demigods worthy of the task to say what shall be classed as an effort deserving of the "war" and whether its been lost or not? I'd class my actions as part of the war to keep the net "safe", not "safer", so what about me? Or is simply showing someone how to lock down their PC and not become a botnet drone not dramatic enough to qualify?
What about all those other people out there doing exactly the same thing? They don't count in Gadis media soundbite, I mean statistical analysis?
Seems more like a debate about semantics than anything else at this point. I could call the above an example of being "safe" OR "safer", depending on what the users intial starting position was. Either way, the extract comes over as a nice, empty quote for the press more than anything else.
Wait, I've never been hacked, or had my credit card details stolen or any of my web logins breached. The fight to keep MY Internet safe has been a roaring success. I guess I don't count in the news articles rather OTT assessment of the "lost war" for web safety because I haven't got a story to tell.
Dintz, tell that to like... Gmer, for instance. I bet he's never been "infected" either. Hell, his knowledge would make most "never had my machine infected" people look like morons.
Now his site has been under DDOS attack and he they had to take it down at least TWICE. Now you tell me the Internet is a safe place, as shown by your "roaring success"? Please.
"Now you tell me the Internet is a safe place, as shown by your "roaring success"?"
..if my machine isn't compromised, then yes indeed, it is, because it certainly wont be DOSing anyone as part of a botnet anytime soon. I work on security forums under a different alias and while I might not be anyone special in the fight against malware, I certainly know an infection when i see one so please dispense with the "this person is better than you, therefore your knowledge sucks" attitude.
Regardless of what you say, I did indeed secure someones machine today to the point where it does indeed count as having made a small piece of the internet "safe". I have a feeling that it would be rather a stretch to label this persons single machine as the last bastion of safety on the entire internet, so I can only assume in my naivety there are actually many more machines out there that haven't been hacked yet too. Does that make the claim that the war to make the net safe has somehow "failed" sound somewhat hollow?
Yep.
"I certainly know an infection when i see one so please dispense with the "this person is better than you, therefore your knowledge sucks" attitude""...
This is absurd. Where did I say that "this person is better than you"? I don't even know you.
Gmer is a very well known security professional and YET, HE (nor anybody else) couldn't do anything against a DDOS attack of tens of thousands (at least) machines. What does your one "clean" single machine matter in this case? You're not even offering a "service" that could be remotely DDOSed anyway, so what's your point?
In a "safe" Internet there are no crime-financed bullies that take hostage your sites because they don't like you. In a "safe" Internet, there are no crime rings that secretly remotely control hundreds of thousands of computers. In a "safe" Internet, it doesn't happen that 3/4 of the e-mail is spam. In a "safe" Internet, it doesn't happen that 3/4 of computers secretly send private information to remote sites without their owners realizing it.
You can dance around the argument, saying that you make the Internet "safer", or that you're perfectly ok with what you've got. But that doesn't change the fact that now the Internet, AS A WHOLE, is a security near-disaster.
"You can dance around the argument, saying that you make the Internet "safer", or that you're perfectly ok with what you've got. But that doesn't change the fact that now the Internet, AS A WHOLE, is a security near-disaster."
the net has ALWAYS been a security "near-disaster". So are most other things in life. but the fact remains, he said something that comes off as a bad doom and gloom prophecy which is only accurate if you somehow disregard the fact that despite all the spam, botnets, blackmail and DoS, there are still whole chunks of the net that have not slid into ghastly disrepair. with that in mind, what IS the qualititave factors going into the make up of his point? what percent of the net has to be deemed a "security near-disaster" in his eyes before he can decide for the rest of us that the "war" (ooh! war! because "war" always sounds more sexy than "some guys doing stuff in front of computers") to keep the internet safe has been lost?
"Gmer is a very well known security professional and YET, HE (nor anybody else) couldn't do anything against a DDOS attack of tens of thousands (at least) machines. What does your one "clean" single machine matter in this case? You're not even offering a "service" that could be remotely DDOSed anyway, so what's your point?"
Uh, because his PC is not going to become a drone used in a botnet to DDOS someone, therefore through his or her own actions has not only kept their PC safe, but also helped to keep a portion of the net safe because they won't be used to knock someone else offline.
Multiply that small yet significant action by however many other people do something along those lines, and you have a huge chunk of "net" that is about as reasonably "safe" as its possible to be.
That article is about the biggest piece of shit FUD I've read in a long time. I can imagine the journalist popping a huge erection at some of those comments made. the best part is how its all presented as if the information within is somehow "new". oh god, the internet is doomed! i cant use it! everybodys getting knocked offline and having their card dets stolen and pedophiles are on every second site and.....oh wait, we already knew all that. big deal. And what about the systems other than windows? great, lets get a quote in about the most popular machines being the easiest to crack into. why not counterbalance that with how hard it is to crack into a decently secured windows box, or even better look at how HARD it is to crack and use linux or macs for botnets?
Nah, we WILL however throw in a token reference to the "MAC BOTNET!" bullshit from last year, but wont mention that actually LABELLING it as such was viewed as controversial at the time.
garbage.
Its a vision of hopelessness that comes across as perfect headline print to sell more stuff. he might not be selling anything, i dont know - but its a definite "hi youre doomed, so youd better buy my product to make you safe" tagline. a quick search reveals sites rerunning the article with THE WAR IS LOST in big bold letters all over the place. its something reporters can get real excited over and build articles upon yet more exciting ways of telling you that youre screwed. one site even goes as far to say:
"EVERY day, your computer is at risk of being hijacked by hackers to wreak all sorts of Internet havoc such as sending spam, committing fraud or stealing data.
And here's the real bad news - there's not much you can do about it."
what COMPLETE AND UTTER BULLSHIT.
yet they based their report, their writeup, their subheadings and the overall tone of the piece on gadis quote. what will the average user think when reading that? these kinds of things can have a detrimental effect on the overall impression one has of just how safe they are, as opposed to encouraging people to get (and stay) secure. I can imagine people reading the piece i just quoted and dropping their PC out of the window.
Oh, the article above finishes on a great note, too:
"The popular machines are so easy to penetrate, and that's scary."
Remember - YOU ARE FUCKED. We're not going to tell you exactly how or why though, you just are. god forbid we should actually say what you could do to minimise this ALL ENCOMPASSING THREAT, because that wouldnt be exciting enough. the future is bleak! the future is cyberpunk!
apart from anything else, the attitude presented in that thing just sucks ass. like this guy said http://blogs.zdnet.com/BTL/?p=4245 :
"The article gives little hope that the problem will be solved any time soon and few clues about what can be done to combat it. All kinds of experts were quoted, but no one offers any advice. In fact, the consensus of the people quoted seems to one of hopelessness."
...yeah, no one gives any advice because theyre too busy hitting you with predictions of doom so youll go out and buy their products, i guess. but thanks to those security experts for telling us we're all fucked and there's nothing you can do about it, theres nothing BEING done about it, and that even if there WAS, you'd STILL be fucked, even though there IS something being done about it but we dont want to focus on that because that might give you some vague glimmer of hope. So we wont.
bullshit.
SubRath, given the fact that I use OpenBSD at home, the fact that I surf with my browser sandboxed in systrace, the fact that I get NO SPAM WHATSOEVER (since I never gave my regular e-mail address to anybody), etc, I can only laugh at your comment.
The Internet is in such a pathetic state not because of the people showing how dangerous it is, but because of the so-called "security" advices given by morons that believe all it takes to be reasonably safe is updating the antivirus once in a while. And that's all there is to it.
" SubRath, given the fact that I use OpenBSD at home, the fact that I surf with my browser sandboxed in systrace, the fact that I get NO SPAM WHATSOEVER (since I never gave my regular e-mail address to anybody), etc, I can only laugh at your comment"
...which comment? You're not making any sense. If I knew what you were referring to, it mean more more to me. But then considering most of your comments here involve laughing at things others have said, I'm not sure I could actually be bothered arguing the toss over it so whatever.
"The Internet is in such a pathetic state not because of the people showing how dangerous it is, but because of the so-called "security" advices given by morons that believe all it takes to be reasonably safe is updating the antivirus once in a while. And that's all there is to it."
While you seem to enjoy laughing at "morons" and anything said that you don't happen to agree with, thats still irrelevant to what I'm saying. That article is crap, I dont agree with what Gadi said and most importantly, the way the quotes are being used to spin utter nonsense is a disgrace ("And here's the real bad news - there's not much you can do about it.").
uh right, mr journalist. what a load. are people like Gadi happy to be associated with articles pumping out crap like that?
SubRath, what I'm saying is that it's certainly NOT because of fear-mongering that security problems on the Internet exist. In fact, it's more likely because of idiotic PR campaigns by Companies that keep spouting out their "now even easier and more secure" crap.
...
This isn't going to be pointed at anyone here.
1. Fear mongering is a crap practice. Especially because several sites that practice such tactics are not the complete security solution they tout themselves to be.
This tactic leads several people to a false sense of security and really, leaves several companies in business that should be run into the ground hard core.
2. The issue, that is being waved around by everyone here...
END USER EDUCATION
The internet is akin to people who have been handed car keys. People who have never seen a car, much less a stop sign, street light, or any emergency vehicle.
People don't understand and therefore pick up poor practices.
Using poor secuirty products, not properly securing the machine, etc... all of this goes back to people NOT understanding.
And that is why this "war" is not lost. Because people can always be educated...nothing is written in stone, we all have the capacity to grow and understand.
" He said the war to make the Internet safe (not safer) has been lost. He certainly didn't imply that we should all give up and go play golf or something."
might not have been his intention, but it sure does come off like that. that article is so depressingly one sided in its desire to paint the picture that everything and everyone is screwed its like listening to five emo albums in a row. then slitting your wrists. then using the blood to write your livejournal entry on the CRT because you couldn't be bothered to use the keys like everybody else.
The war to make the Internet safe ??
The internet has never been Safe if by using the word Safe! you mean Regulated and controlled and i do hope that never happens,
Its a question of what do you want out of the Internet?
1 Do you want to be able to download music for Free
2 Do you hate Adware
3 Do hackers worry you
4 do you want the Free Nature of the Internet to continue
5 Do you like Sites like Myspace and Bebo
6 Do governments have the right to Control the internet
These questions Could be sent to any End user and to say the least the answers would be interesting 
wow did i stop a Convo ?? or was i just the last to comment ???
Commenting by HaloScan
