The U.S. has 18 percent of its machines controlled by botnets

Using a botnet to send spam

A short while ago I read an article that tried to present both sides of the issue of whether companies should shut down their desktop machines at night.

The ‘pro’ was of course the saving of electricity – all good and “Green“.

The ‘con’ was that this saving would be offset by the cost in time as employees waited for the machines to book and waited while they shut down – the latter to make sure that they didn’t hang.

The article didn’t discuss home users. I’m sure home users would appreciate the savings and be willing to devote the time 🙂 While many people work from home and many children use computers from home, I don’t think there is a need for an ‘always on‘ computer in the home.
(Unless you count the fridge or the microwave or the VCR clock ..)

Would turning those computers off affect that botnet? Perhaps. I’ve certainly met people who when they learn I’m involved with IT ask me why their computer runs slower than when they bought it. I ask if they run AV or other anti-malware software, purge adware … I rarely hear from them again but when I do its to say that some tool like “Search-and-destroy” told them they had gazillions of malware. And they ask me where it comes from.

I don’t know, I run Linux.

But that argument against turning off corporate machines is specious at many levels. Most of the staff at my clients seem to use laptops rather than desktop machines. They take them to meetings and presentations, sometimes they take them home. All this involves turning off and on. If they don’t take them home at night those laptops have to be locked away, not left on the desk top. That’s been policy everywhere I’ve worked this last decade.

The limiting case was one year I worked in a port-a-kabin.
The sub-zero overnight temperatures meant none of the workstations were operative. So we turned on the cabin heating all the electrics, all the machinery and went to get a coffee (aka “breakfast”). Half an hour later the cabin was warm enough for the electronics to operate. We were not allowed to leave the cabin powered up overnight.

Would shutting down the home machines each night reduce the level of spam? Perhaps. That’s an incentive over and above the Green one of saving electricity. Perhaps some service provider service technician should recommend this over and above regular ‘purges’.

The McAfee report doesn’t make a clear distinction between commercial and residential hosts for the botnets, though it does mention some government agencies and banking institutions in Russia are
malware-laden. The large corporations that make up my clients have always had IT departments that support good front-end filtering and making sure that the workstations have up to date AV software. That being said, I see a lot of people who turn off their AV software. Myth or not, many still believe it affects performance.

Of course I run Linux and I don’t have to worry about rogue ActiveX, and I don’t run attachments I get in the mail and there are many sites I simply don’t visit!

And I turn my home machines off at night.

Reblog this post [with Zemanta]

Why applications have security bugs

It was this comment to the posting that caught my attention:

Some of us idiots used to think that any devs who weren’t aware of buffer overflow before the Morris worm would be aware of it after the Morris worm. But in fact, your posting almost points out why many devs remain blissfully unaware:

“we developers were trained to focus on and typically only ever focused
on how legitimate users will use the product”

Close. Developers who want to have good jobs have to get trained to focus on how their managers pretend the product will be used. Anyone who thinks as far out as actual end users will get canned for not being
a team member. Anyone who thinks even further out about actual end misusers will be sued for being a hacker. But yeah, you explained it.
Thank you.

Long time readers will know that the Morris worm is my poster-boy for complaining that modern schools don’t teach defensive programming.

It seems I’m not alone.

Reblog this post [with Zemanta]

OWASP Top Ten is really the OWASP Top 6.5

Announcement of changes in company password po...
Image via Wikipedia

This is somewhat dated, but so what? Most of the points raised still hold valid.
It opens:

CIO/CSO: “I just went to a very important luncheon meeting. First, they bought me steak, then they showed me powerpoint about this new security list, then we got to watch STAR WARS! I want our websites to be OWASP Top Ten certified by then end of the week!”

… and it goes on with the sad-but-true

Consultant: “Hello, I just completed CISSP boot camp. I am here to run OWASP Top Ten security scanning software and install a web application firewall! Cookies?
Sorry, I’m diabetic.”

Wasn’t there a Dilbert strip about that?   “Invoking the awesome power of certification“?

Speaking of which:

Dilbert “Maybe we should first start with password protecting the website? Or fixing our expired SSL certificate?”

How true; how poignant! And we all know the response to that:

Consultant: “I’m sorry that is not on the list! hmm what to do? I will use the consultants Top Ten Scarry Word List!” Sarbanes-Oxley, HIPAA, PCI…”

Seriously, though: a while ago I read an article suggesting that how you title you posts or blogs was very important and used examples from magazines such as Cosmopolitan to illustrate that: “The top 10 ways …”, “10 things you should know” and such like were going to attract more readers.

Well heck, who wants to read an article titled:

“Six and a half ways to secure your web site”.

Maybe those into reverse psychology perhaps?
But please, do fix those expired SSL certificates.

Reblog this post [with Zemanta]

Hysteria over swine flu is the real danger

And in world terms how does this compare to nuclear tests in North Korea?
Continue reading Hysteria over swine flu is the real danger