BBC hack 22,000 computers

[Rik]

hey rik

http://www.idnetters.co.uk/forums/index.php?topic=13257.0

Just saw. 

[Tacitus]

I know just what you mean, Tac. I wonder, though, if the world moved to Macs, how long it would take for them to become vulnerable.

Oddly enough I deleted a sentence which said people will say if Macs/Linux had a bigger market share they would be just as bad, thinking I'd let someone else come up with the usual riposte  :-)

Not provable except in the event, but as Arthur says Windows was never designed for networks.  What he doesn't say is that the prime motivator in Windows design was not technical excellence but an overwhelming desire to destroy the opposition.  "It's not done till Lotus won't run" has more than a grain of truth in it.

In practice we need a diversity of systems and CPUs and with the internet we 'should' be moving towards that.  Different instruction sets, and OSs combined with better address space randomisation would make life increasingly difficult for the bad guys.  Probably not impossible but certainly much more difficult.

[Rik]

Sadly, nothing is impossible when it comes to computer malfeasance.

[DarkStar]

Another bit of info on this from Prevx:

Yesterday, 09:08 PM

PrevxHelp 
Support Specialist       Join Date: Sep 2008
Location: USA/UK
Posts: 1,109
Re: Introducing, The New Prevx Edge.
________________________________________
Quote:
Originally Posted by Longboard
@Joe
What's all this about?
http://www.theregister.co.uk/2009/03..._botnet_probe/
Bloggged anywhere ?
Looks to me like the BBC took a few liberties ??
Need to be Careful who you cooperate with ??

All those endusers who had their screensavers taken over must not have been running PrevX eh.

Don't believe everything you read  The BBC's demo did NOT take down our website  We allowed them to attack a small demo website which we put up - it actually has no relation to our website at all, but its reasonable that the true attack destination got confused.

I'm not sure what the users were actually using but the actual botnet was acquired by the BBC ~6 months ago, I believe, so they couldn't have been using Edge  (and also, we heuristically detect the backdoor trojan used in the attack so we would have blocked it anyway  )

(Also, FWIW, the BBC changed their desktop background, not screensaver, to report the infection)

EDIT: Minor text edits 
__________________
Prevx Software | Prevx Edge Help

[Rik]

I still feel they've broken the law, Ian.

[DarkStar]

I couldn't agree with you more Rik. I also think they broke the law but I can also understand why they did it. Unless someone takes out a private prosecution they will get away with it. The sad thing is that of the 22,000 that were hacked probably less than 1% will do anything about it. It's not that people don't know or understand, they simply are not interested as long as they can get on their favourite  social networking site.

[Rik]

I have to agree with you, Ian. If they cared, they wouldn't have been in the mess in the first place.

[Dopamine]

In practice we need a diversity of systems and CPUs and with the internet we 'should' be moving towards that.  Different instruction sets, and OSs combined with better address space randomisation would make life increasingly difficult for the bad guys.  Probably not impossible but certainly much more difficult.

"In practice we need a diversity of systems and CPUs"..... which would make it ruinously expensive for software companies to produce mass market products.

Just one example that illustrates where your argument is totally flawed: mobile phone chargers. For years we've needed a different charger for different phones. At long last a standard is being adopted.

Computers, the internet, mass usage of them and it, all are as a direct result of uniform design, even if that uniform design has been achieved by the market dominance of MS. It's fashionable to knock MS, but would you honestly want to go back to having no viable internet or well developed software to run on your PC? Many companies can't or don't attempt to get software to work on both PCs and Macs, so how you think an even greater variety would help is lost on me.

What we need is not diversity, but harsher penalties for virus writers and malicious hackers. Microsoft and Apple alone could afford to offer many millions in rewards for the successful identification and prosecution of culprits. $1,000,000 for the identity and location of the writer of virus abc anyone? We'd have the details within a few days. Send them to prison for life, and then see how many little kiddies think it's funny to mess with the world's computers.

[drummer]

What we need is not diversity, but harsher penalties for virus writers and malicious hackers. Microsoft and Apple alone could afford to offer many millions in rewards for the successful identification and prosecution of culprits. $1,000,000 for the identity and location of the writer of virus abc anyone? We'd have the details within a few days. Send them to prison for life, and then see how many little kiddies think it's funny to mess with the world's computers.

And harsher penalties for bank robbers too because Barclays and NatWest alone could afford to offer many millions in rewards for the successful identification and prosecution of culprits.    Not gonna happen and I fail to see why OSs should be judged by different criteria

Some blokes in the UK a few years back got 30 years for robbing a train, but it didn't stop any subsequent wannabes attempting heists of their own.  Bit of a pipedream if you think wannabe villains will grass on their heroes

With respect though, this is a recipe for chaos because it exonerates virtually everyone (apart from MS and Apple) from any kind of blame.  If I fail to lock my door when I go out and get burgled, is it okay to blame Banham?

Personally, I'd have a very big problem with an 11 year old Ukrainian "hacker" on a dollar a week going to jail for life in order to make me "safer".

My computers' security is my responsibility and I accept that as a fact of life.

[Dopamine]

And harsher penalties for bank robbers too because Barclays and NatWest alone could afford to offer many millions in rewards for the successful identification and prosecution of culprits.    Not gonna happen and I fail to see why OSs should be judged by different criteria

Bank robbers already have far harsher penalties than virus writers/hackers, and there are many, many, many times fewer bank robberies than computers messed up by viruses. The banks don't need to offer rewards as the apprehension and conviction rates of bank robbers are already high.

Some blokes in the UK a few years back got 30 years for robbing a train, but it didn't stop any subsequent wannabes attempting heists of their own.  Bit of a pipedream if you think wannabe villains will grass on their heroes

Are you kidding? There are as many prosecutions of major criminals that come about because of information from grasses as there are from evidence found elsewhere. Villains are the worst grasses of the lot. Just ask a few experienced policemen. And if that doesn't persuade you, look at the weakening of the mafia in the USA. Major trial after major trial recently where the star witness/es have been mafia grasses.

With respect though, this is a recipe for chaos because it exonerates virtually everyone (apart from MS and Apple) from any kind of blame.  If I fail to lock my door when I go out and get burgled, is it okay to blame Banham?

No, but it's perfectly reasonable to expect to be able to live in a society where you have no need to lock your door. You can find many societies where there is very little crime, and almost all have extremely severe penalties for the small amount of crime that does occur. Penalties, and the fear of them, are proven to work if severe enough. We in the UK have just got used to the idea of low penalties and "rights" for people who choose to break society's rules.

Personally, I'd have a very big problem with an 11 year old Ukrainian "hacker" on a dollar a week going to jail for life in order to make me "safer".

Well, I'll concede that life is a little strong for an 11 year old. 30 years should do it.

My computers' security is my responsibility and I accept that as a fact of life.

So would I if I was allowed to exercise that responsibility without constraint, i.e., shoot the buggers if I ever caught them. But, as I'm not allowed to do that and have to rely on the police and courts to catch and punish offenders, I'd like them to have strong enough powers, and exercise them, to act as a deterrent.

Deterrents work, it's a proven fact. All they need to be is strong enough. Viruses and hacks cause thousands of pounds worth of damage every day and aren't just the minor irritation that some will argue. They are serious crime, but the attempts to catch the culprits, and the penalties imposed, go nowhere close to matching the severity of that crime.

[Gary]

I know just what you mean, Tac. I wonder, though, if the world moved to Macs, how long it would take for them to become vulnerable.

Macs have vulnerability's like any machine, but not as many of course, but I think market share is what helps keep them safer a bit like the Opera browser, though, I do wonder as you say Rik, if everyone used one how they would fair, at least they look good and have a better GUI and handle system resources better. My Laptop has the same screen res as Sebby's mac, full 1080P, I think the same amount of HD space (640gb) mine has a T9400 core 2 duo proc at 2.53ghz and 4 gig of DDR3 at 1066, and a Nvidia 9700M GT graphics card and I bet side by side the mac would run all over it performance wise.

[Niall]

I have to agree with you, Ian. If they cared, they wouldn't have been in the mess in the first place.

If they had done that to me, they WOULD be receiving a letter from my solicitor. How is it that the BBC seem to constantly have idiots working for them in the higher positions that manage the muppets that come up with these ideas? A bad suggestion is made, then an uninformed person that hasn't had the correct background research given to them gives it the green light. Who is to blame at the BBC, is it the lawyers or the BBC itself? Who has the final say to allow something that is clearly breaking the law?

[Niall]

Macs have vulnerability's like any machine, but not as many of course, but I think market share is what helps keep them safer a bit like the Opera browser, though, I do wonder as you say Rik, if everyone used one how they would fair, at least they look good and have a better GUI and handle system resources better. My Laptop has the same screen res as Sebby's mac, full 1080P, I think the same amount of HD space (640gb) mine has a T9400 core 2 duo proc at 2.53ghz and 4 gig of DDR3 at 1066, and a Nvidia 9700M GT graphics card and I bet side by side the mac would run all over it performance wise.

Do we actually know this to be factually correct, with regards to their being less vulnerabilities? I've never actually come across a list of them, or even seen a number being quoted. I suppose if there is less code and the O/S for said system had less functionality I could see it being the case, but as I say, I've never seen anything proving that.

[talos]

If they had done that to me, they WOULD be receiving a letter from my solicitor.

How would you know ?

Who has the final say to allow something that is clearly breaking the law?

Do you know that for a fact?

[Rik]

None of us does unless it's tested in court, Bob.

[talos]

None of us does unless it's tested in court, Bob.

I agree Rick, to a point, but untill it has been tested

[somanyholes]

Do we actually know this to be factually correct, with regards to their being less vulnerabilities? I've never actually come

across a list of them, or even seen a number being quoted. I suppose if there is less code and the O/S for said system had

less functionality I could see it being the case, but as I say, I've never seen anything proving that.

This article is fairly dated but the source of information is reliable.
http://blogs.zdnet.com/security/?p=758

The thing to think about is are we just talking about OS vulnrabilities or are we also including general application vuln's.

Apple have a very different disclosure policy to that of Microsoft and the Nix's. They don't do full disclosure, they ignore
quite a range of reported vuln's and only act when people start kicking off. Again I will say Apple is just as vulnrabnle to
attack weather this is through os vuln's (this will include vuln's reported in bsd, after all mac is built on it) or
application vuln's. I think a prime example of apple's attitidue is when they advertised Anti-virus on their website, to
increase the os security, Apple's HR dept kicked off and the page was taken down due to this not tieing in with all the
adverts advising it's a secure OS etc etc and how viruses don't affect it (haha). Another thing to take into consideration is Apple's low market share, if more used the more vuln's there would be. A final thing I have noticed is that the apple user's attitude is often their downfall, on a number of security audit's I have done, the fastest way gaining access to a remote network is for example vnc access with no passwords set. Let's not forget there is no patch for human stupidity regardless of the OS.

[Rik]

Shame about your last point, So.

[Glenn]

There are one or two way to stop stupidity forever.

[Rik]

I believe that the Human Rights Act would prevent the technique though, Glenn.

[Glenn]

Spoil sport 

[Rik]

Back to two bricks then.

[Sebby]

Do we actually know this to be factually correct, with regards to their being less vulnerabilities? I've never actually come across a list of them, or even seen a number being quoted. I suppose if there is less code and the O/S for said system had less functionality I could see it being the case, but as I say, I've never seen anything proving that.

I suspect that Mac OS is a much more secure operating system to start with, but also there's less interest in writing viruses for Macs. I don't believe any actual viruses exist for Mac...

[zappaDPJ]

There are a growing number of MAC specific viruses but nothing on the same scale as there are for the PC. Apple do now recommend that all users install antivirus software which gives some indication of what may be to come.

As to what the BBC did, I wonder if they are aware that hacking and denial of service falls under the Terrorism Act. I don't think for one minute that there would be any prosecution brought because of the intent but nevertheless as a publicly funded body I think they are treading on slightly dangerous ground.

There is certainly a need for more awareness as far as computer security goes but I don't think this was the right way to go about it.

[Tacitus]

"In practice we need a diversity of systems and CPUs"..... which would make it ruinously expensive for software companies to produce mass market products.

Compiler technology is getting better all the time.  Java and C# become more viable as computer power increases.  Not to my mind as impossible as you suggest.  If much of the action takes place in the cloud it won't matter what the underlying OS is.

Computers, the internet, mass usage of them and it, all are as a direct result of uniform design, even if that uniform design has been achieved by the market dominance of MS. It's fashionable to knock MS, but would you honestly want to go back to having no viable internet or well developed software to run on your PC? Many companies can't or don't attempt to get software to work on both PCs and Macs, so how you think an even greater variety would help is lost on me.

You didn't need to have a 'standard PC' to have the Internet all you need are the communication protocols which were nothing to do with MS anyway.   I know all the arguments for standardised product gave us the 'standard PC' and I conceed that it allowed the market to develop.  The downside is that it also gave us a monoculture. In computers as in nature a monoculture is a bad thing.  We've already seen how a virus can spread more or less unchecked, although other systems remain standing.  Diversity is there already we just need more of it.  Some servers run Apache, other use MS.  Some of the more secure ones in finance run Solaris, probably, though not necessarily, on Sparc.

What we need is not diversity, but harsher penalties for virus writers and malicious hackers. [SNIP]  Send them to prison for life, and then see how many little kiddies think it's funny to mess with the world's computers.

Do you seriously think a court is going to jail some script kid for life?  You might feel like it but I can't see it happening.  The real villains need to be caught not just the low hanging fruit.  Fair enough detection techniques are getting better but I think there's a long way to go. 

If you really want to jail someone how about allowing MS to be sued for loss of business due to their OS being insecure?  If they had to face the same consequential damages that (say) a car manufacturer has to face for bad design leading to failure, I guarantee Windows would be the most secure OS in existence.