-
Quote:
Originally posted here by okay
I'm an idiot and don't work in IT. But I do like Windows and IE - Bah at you internet security nutheads... majority of you that like me don't shop online and keep personal stuff off your computer should pull off your tin foil hats and put on your pirate hats... yar mateys!
Wellllllllll ..........
Gotta LOVE this guy :D
any takers on just how long he COULD stay online WITHOUT a break ?
As for what 'they' could find ...............
that's not the point, the point is that 'they' use your PC to do 'their' dirty work, THEN when the police track 'them' down ................
It's YOU that gets busted, and YES, laws are on the way to make sure that the owner/operator has taken 'reasonable steps' to protect his machine.
As for running book ................
I doubt if anyone would put money on 'more than a couple of days' :p
[edit]
I think I cut QUITE the dash in my tin foil hat anyway :D
-
okay's comments were perfectly reasonable.
Risk management is about reducing risk to an acceptable level, if he has no assets to protect, any resources spent on protection must be considered loss. (since more resources are spent protecting than are at stake)
All this BS about the police coming to him in the event his system is compromised and used in another attack... so what? He is under no requirement to maintain a secure system and until he has shareholders, is considered critical infrastructure, or is contractually bound to a security standard he has no obligation to implement any security whatsoever and is not liable for consequences there in. Furthermore if his ISP cancels his account because his system is used in DDoS attacks and if he lives in the US he has firm ground for a lawsuit as he cannot be discriminated against based on his knowledge of the relevant technologies.
cheers,
catch
-
Catch:
To hoist you on your own petard, (finally ;)):-
The fact that his internet access is removed is a cost. The fact that you have to take the ISP to court is also a cost with no guarantee of a win that offsets the cost. Yes, you could increase the cost by sending it to an appeal court but, again, you have no guarantee of winning.
Ok, the police probably won't appear at your door.... But if they do... I can assure you there is a cost and it isn't fiscal.
There are "costs" outside of financial but in many cases there will be fiscal cost. While I utterly agree that security is a balance of cost to loss what is the value of you losing your internet connection at home. If it exceeds a free AV and firewall then you failed to properly secure your computer. If you don't use AV and firewall but fail to spend the time and effort, (Read: Cost), to secure the computer without them then, again, you have failed to properly secure your computer. Either way, "Okay" is wrong.
-
The odds of his internet connection being disabled are near zilch, and if they do disconnect it he will most assuredly come out better financially (provided this causes him any loss whatsoever). With minimal effort, a lawyer would handle this case no fee up front as it is such a clear win (in the US anyhow)... I got free broadband for a year a few years back because my internet was out for a day due to a car crashing into the phone pole.
The odds of the police coming to his house are also minimal, they know how to tell a zombie system from an actual attacker... most likely if anything happens he'll get a notification from his ISP and the police may want the system for evidence... (this is made even more unlikely by having a less secure systems since the attacker will more easily remove traces of the transaction, so here less security actually reduces the risk.)
If the user has no need for availability... there is no cost to having the system unavailable. My grandmother goes for months at a time without turning her computer on, and frequently uses her neighbor's anyhow... how much security does she need to do nothing more than occasionally look up operas?
What if okay is a $500 an hour lawyer and it takes him, a non-IT person 10 hours to secure his computer annually... in this case should he still take the time to secure it? Should he pay someone else to secure it and upkeep it (again the time the contractor has the computer is a loss of availability)... none of this was considered. Fact is, if okay is happy with his level of availability, why should he spend more resources on it?
cheers,
catch
-
First, you're all assuming my computer is being used as a zombie in DDoS attacks, why? How many have you thought through that I may use a dial up modem? Or that I may disconnect my laptop from the network when I'm not online? Pretty stupid assumptions on your part. Next, like catch said, the computer is something I use for typing and occasional internet browsing - lately this site and CNN. I don't live online like you tin foil hat wearers.
Next, foxy, link me to these pieces of legislation? I live in the USA, heres a link to a site that shows all action on the Congressional floors and any proposed bills http://thomas.loc.gov Read it through carefully and ask yourself, who decides reasonable? Broad and undefined clauses like that leave gaping holes for attornies to pick open. Get real, laws like that will be ripped open based on constitutionality as well.
Tiger, don't assume things to be true. My computer fits my needs and it may not be secure, but what's that matter if it sits in a corner without an internet connection and is only used by me?
-
:hello:
I'm going to bring up a point that doesn't argue much from the cost/loss perspective, but more from the ethical.
I agree that you shouldn't secure a system at a greater expense than the data to be secured. However, I have a friend that worked on a system hosting some disgusting things. It belonged to an elderly couple that didn't know what they were doing. He called me up, and was completely freaking out. The couple was clearly attacked, and eventually worms ended their internet access, taking them to the shop. They didn't know anything about their server until it got brought in.
The attack didn't cost them much more than a trip to geek squad + the loss of emails & pictures, but I'm sure they would have paid more than that just to prevent that crap from getting on their system. Since then I make an effort to see that those around me have at least the most basic security in place, because I would hate to clean that **** up. It's selfish to ignore basic practices if you have the know how to prevent something like this from happening.
This doesn't mean I hold the uneducated accountable, I just think it's important to educate and help out others where you can.
-
Quote:
Originally posted here by okay
First, you're all assuming my computer is being used as a zombie in DDoS attacks, why? How many have you thought through that I may use a dial up modem? Or that I may disconnect my laptop from the network when I'm not online? Pretty stupid assumptions on your part.
First, you think that just because you have dialup or because you disconnect your laptop from the network when you're not using it that you're safe? Pretty stupid assumption your part, if you ask me. Ever hear of the Sasser worm? Came out the second half of the year before last, IIRC. At that time, I was working for a small ISP doing tech support and we were utterly swamped by calls from customers who a) used dialup b) were infected by just being online for a short period of time. I remember hearing "But I was only online while I downloaded my e-mail." from more than one customer. Didn't matter. They were still infected. A simple firewall would have protected them.
The tone of your original post gives me the impression that you're just some guy wanting to seem bad-@$$ed by seemingly breaking the rules. Trust me... you don't seem all that cool.
- Xierox
-
I ever say I wasn't using a firewall? But nonetheless, do you even understand what Sasser exploited? Do you know that it used port 445 to exploit lsass? Do you even understand that Windows computers sharing files use port 445? Do you comphrend that most computers running a firewall and allowed file sharing would've been exploited? OS failures don't represent a lack of knowledge nor security on a user's side. Lame example.
And trust me. I'm totally not cool. But aside the point, do I care what you think? No.
-
Well, I use Avast AV, spybot and adaware, spyware blaster for malware prevention, and CWshredder... All I do is update and scan with everything once a week, and the only things that sometimes get through is adware/spyware, which gets deleted after the scans anyway... I don't get any pop ups, no system slowdowns, just doing this keeps your system pretty clean and running fine. When I suspect something I use hijack this and check the log out.
Oh and for the computers that aren't on my router/firewall, I use Sygate.
It takes a while to download and install and get everything set up right and such, but after your done with that, it's simply a matter of updating and scanning once a week, and paying attention to your firewall logs.
I know some members like The_specialist will disagree with my methods (If I remember correctly he doesn't use any software), but it works for me...
***EDIT***
Heh, judging by Okay's last post, I think he earned himself the The_specialist_junior name :p
-
Quote:
Originally posted here by okay
I ever say I wasn't using a firewall? But nonetheless, do you even understand what Sasser exploited? Do you know that it used port 445 to exploit lsass? Do you even understand that Windows computers sharing files use port 445? Do you comphrend that most computers running a firewall and allowed file sharing would've been exploited? OS failures don't represent a lack of knowledge nor security on a user's side. Lame example.
And trust me. I'm totally not cool. But aside the point, do I care what you think? No.
I'm sorry. You didn't say you weren't using a firewall, I assumed that you weren't from your first post. My mistake.
No, I do not know specifically how Sasser worked. I knew it exploited lsass, but past that I was not clear. Thanks for teaching me something.
Ok, now I'd like to apologize to okay. It seems I misjudged you by a longshot. I have a friend back home whos computer was infected by all sorts of crapware. I offered to clean it up for him because a) it would run better and b) he would be doing the rest of the internet a favor and that he was responsible for what his computer was doing on the net. His reply? "Show me the law that says I have to keep my computer clean." Made me mad, real mad that he didn't care if his computer affected anyone else or not.
I assumed you shared the same mentality, but the more you defend your views, the more I think that you're not his type.
I was wrong to attack you like that. I'm sorry, and I apologize.
- Xierox
