Don't Mind Me
About a year ago a co-worker and my wife had computer viruses downloaded to their laptops. At the time, I thought they brought this upon themselves - probably by clicking on a pop-up rather than closing it from the toolbar at the bottom of the screen. I was not sure if they each had the same bug, but the concept was similar. Basically, a file on the computer called itself antivirus software and repeatedly offered updates that cost money. This was the first I heard of that novelty, a sort of hijacking reminiscent of a wolf in sheep's clothing. Within a week or two I found myself staring at a different virus alert on my laptop. I had no clue where it came from and I learned that I was wrong in thinking that risky online behavior was the only way to catch a bug. It took a few hours with nice IT guy to get my vundo virus removed.
I recently read a book written by one of the bright minds from McAfee. It was a quick read that left me feeling safer from the things I expected viruses could do and uncomfortable about the things I did not expect from viruses. I had not considered access to a corporate network put my machine at risk - given the thousands of workers accessing the same drives there is ample opportunity for a single machine to proliferate malicious code onto my laptop. However I did feel better about my router and the potential for someone to remotely steal my passwords. The book did not leave me any other options than using the antivirus software I already do. It did highlight the ability for SiteAdvisor to identify websites that are not what they claim to be (like a bank website actually redirecting from some other website to steal financial information). The book made the point that code executed online for advertisements are often the source of these problems. Websites selling advertising space would like to scan all code thoroughly of course but sometimes the ad space is contracted out to someone else (like Google AdSense). The sheer volume of ads and the access they allow means there is a healthy risk of code executed on a website ad whether or not you want it to execute.
About a week after I read this book I ended up with Antivirus Soft error messages on my computer after a Google search. I learned from the book that this bug could have been dormant on my machine for some time before it started to do its dirty work. I tried a system restore anyway to no avail. It took two full system sweeps to clear it out. It had a few different parts and was pretty complex. One bit is a file on the computer that makes the other bits. One bit hides the other bits from antivirus software. One bit disables Task Manager and other programs you might open to check what is running. One bit redirects Internet Explorer to access its proxy server to disable all websites other than its offer to remove the virus from your machine. I am probably able to attack this threat better than most but the fact that I was unable to avoid it makes me feel unqualified to ever speak to Internet security.
My two conclusions:
1. Internet fraud is more profitable than Internet viruses.
2. Javascript is bad.
A couple of bright minds at Microsoft put together a paper on the profitability of Internet viruses. Conventional wisdom would have us believe that since viruses can be put together for free any benefits are complete profit and it is an easy source of income. It turns out the lack of barrier to entry makes this marketplace not so profitable. The threat of stolen credit card information is real, but the fact that the information is sold for pennies on the dollar means that an incredible volume is necessary to make the crime worthwhile for the majority of the world. This volume calls the attention of the companies that operate the servers that run the Internet. In other words, to make a lot of money stealing a lot of stolen identities exposes the thief.
Internet fraud on the other hand can be done a few ways and call into question international laws. For example off-shore gambling websites advertise in the United States under [website].net ads for free-to-play websites knowing the majority of users will key in [website].com where real gambling occurs. Websites routinely offer goods for sale that either do not exist or are stolen goods. There are not great tools for users to know whether a new website really is the bargain store at the street address listed or a teenager in his parents' basement trying to dupe the world into supplying enough cash to buy a new video game system. If you have ever used Facebook you've seen the numerous ads for making money off Google. These invariably represent either pyramid schemes or useless information for sale. Keep in mind that Google makes money selling ads for fake businesses offering these scams and although it does have a serious effort to reduce them it does not really lose anything from taking their money. There's a technically savvy way to manipulate Google's ad software by making one website call up another to drive up the number of clicks on the ads. This is probably easier and safer to do than creating a virus to send out aimlessly across the Internet. I'm not smart enough to do either but the difference between targeting a mark with fraudulent activity seems more effective than aimlessly hoping a bit of code survives online without multiple antivirus and firewall protections killing it off.
One of the things I typically think about when writing a website is when to employ Javascript. I've learned over the years that it is not favored by the experts I'd followed so I try to avoid it. Code on your machine is just that, server-side code executes on the Internet and delivers a result to your computer, but Javascript is sent by the server to your machine to execute. HTML operates the same way but since it is static it does not have the security issues of Javascript which can run while the website is open. In other words, Javascript can be used to launch an attack at your machine, cause your antivirus software to be averted and bad code to end up downloaded. There are many, many valid reasons for Javascript (some website hosts only allow HTML and Javascript but no server-side scripting, some information really should cull from the user rather than the server such as local time, Google AdSense uses Javascript, etc.) but there is a reason why Internet browsers offer the option to disable it. There are probably similar coding languages that have the same threat but by far Javascript is the predominant risk because it has been embedded in websites for a decade so browsers must support the code. It is active on probably the majority of websites (I could be wrong, as I have been before) and its popularity leaves it in the hands of legions of amateurs (see MySpace). After my latest virus experience I've decided to disable Javascript going forward. There will be performance issues because most websites expect to be available (like Blogger for example), but I'd rather deal wit that hassle than the rogue software injected into my machine.
I asked Lisa if she thought people would accept a safer Internet if it were slower. She immediately said no. That crushed my idea for proxy web surfing. It would have to be slower and that would make it ill-suited for streaming content (audio or video). If you've ever shared a screen through an instant messenger you see what I thought could be done - one machine calls the program code and literally just shows a picture of it to the other machine. I'd call it remote surfing and still think it could be sold. I doubt people who want access to very private information, like banking, would be open to this concept. However most Internet surfing is not private data or streaming content, and a lot of it already travels through multiple servers already. It is just the code that executes on your machine rather than the laptop that is the real problem, so I'd like a workaround for the server to deliver just the way things should look and not any code at all.
I recently read a book written by one of the bright minds from McAfee. It was a quick read that left me feeling safer from the things I expected viruses could do and uncomfortable about the things I did not expect from viruses. I had not considered access to a corporate network put my machine at risk - given the thousands of workers accessing the same drives there is ample opportunity for a single machine to proliferate malicious code onto my laptop. However I did feel better about my router and the potential for someone to remotely steal my passwords. The book did not leave me any other options than using the antivirus software I already do. It did highlight the ability for SiteAdvisor to identify websites that are not what they claim to be (like a bank website actually redirecting from some other website to steal financial information). The book made the point that code executed online for advertisements are often the source of these problems. Websites selling advertising space would like to scan all code thoroughly of course but sometimes the ad space is contracted out to someone else (like Google AdSense). The sheer volume of ads and the access they allow means there is a healthy risk of code executed on a website ad whether or not you want it to execute.
About a week after I read this book I ended up with Antivirus Soft error messages on my computer after a Google search. I learned from the book that this bug could have been dormant on my machine for some time before it started to do its dirty work. I tried a system restore anyway to no avail. It took two full system sweeps to clear it out. It had a few different parts and was pretty complex. One bit is a file on the computer that makes the other bits. One bit hides the other bits from antivirus software. One bit disables Task Manager and other programs you might open to check what is running. One bit redirects Internet Explorer to access its proxy server to disable all websites other than its offer to remove the virus from your machine. I am probably able to attack this threat better than most but the fact that I was unable to avoid it makes me feel unqualified to ever speak to Internet security.
My two conclusions:
1. Internet fraud is more profitable than Internet viruses.
2. Javascript is bad.
A couple of bright minds at Microsoft put together a paper on the profitability of Internet viruses. Conventional wisdom would have us believe that since viruses can be put together for free any benefits are complete profit and it is an easy source of income. It turns out the lack of barrier to entry makes this marketplace not so profitable. The threat of stolen credit card information is real, but the fact that the information is sold for pennies on the dollar means that an incredible volume is necessary to make the crime worthwhile for the majority of the world. This volume calls the attention of the companies that operate the servers that run the Internet. In other words, to make a lot of money stealing a lot of stolen identities exposes the thief.
Internet fraud on the other hand can be done a few ways and call into question international laws. For example off-shore gambling websites advertise in the United States under [website].net ads for free-to-play websites knowing the majority of users will key in [website].com where real gambling occurs. Websites routinely offer goods for sale that either do not exist or are stolen goods. There are not great tools for users to know whether a new website really is the bargain store at the street address listed or a teenager in his parents' basement trying to dupe the world into supplying enough cash to buy a new video game system. If you have ever used Facebook you've seen the numerous ads for making money off Google. These invariably represent either pyramid schemes or useless information for sale. Keep in mind that Google makes money selling ads for fake businesses offering these scams and although it does have a serious effort to reduce them it does not really lose anything from taking their money. There's a technically savvy way to manipulate Google's ad software by making one website call up another to drive up the number of clicks on the ads. This is probably easier and safer to do than creating a virus to send out aimlessly across the Internet. I'm not smart enough to do either but the difference between targeting a mark with fraudulent activity seems more effective than aimlessly hoping a bit of code survives online without multiple antivirus and firewall protections killing it off.
One of the things I typically think about when writing a website is when to employ Javascript. I've learned over the years that it is not favored by the experts I'd followed so I try to avoid it. Code on your machine is just that, server-side code executes on the Internet and delivers a result to your computer, but Javascript is sent by the server to your machine to execute. HTML operates the same way but since it is static it does not have the security issues of Javascript which can run while the website is open. In other words, Javascript can be used to launch an attack at your machine, cause your antivirus software to be averted and bad code to end up downloaded. There are many, many valid reasons for Javascript (some website hosts only allow HTML and Javascript but no server-side scripting, some information really should cull from the user rather than the server such as local time, Google AdSense uses Javascript, etc.) but there is a reason why Internet browsers offer the option to disable it. There are probably similar coding languages that have the same threat but by far Javascript is the predominant risk because it has been embedded in websites for a decade so browsers must support the code. It is active on probably the majority of websites (I could be wrong, as I have been before) and its popularity leaves it in the hands of legions of amateurs (see MySpace). After my latest virus experience I've decided to disable Javascript going forward. There will be performance issues because most websites expect to be available (like Blogger for example), but I'd rather deal wit that hassle than the rogue software injected into my machine.
I asked Lisa if she thought people would accept a safer Internet if it were slower. She immediately said no. That crushed my idea for proxy web surfing. It would have to be slower and that would make it ill-suited for streaming content (audio or video). If you've ever shared a screen through an instant messenger you see what I thought could be done - one machine calls the program code and literally just shows a picture of it to the other machine. I'd call it remote surfing and still think it could be sold. I doubt people who want access to very private information, like banking, would be open to this concept. However most Internet surfing is not private data or streaming content, and a lot of it already travels through multiple servers already. It is just the code that executes on your machine rather than the laptop that is the real problem, so I'd like a workaround for the server to deliver just the way things should look and not any code at all.
respond or e-mail this post:
2 Comments:
Hotmail & Blogger are the first sites to virtually lock up without Javascript.
My tactic is to disable Javascript by default and activate it when on a site I need to use that requires it. Something tells me I'll get lazy sooner or later though.
Add YouTube to the list of mainstream websites that literally require Javascript enabled.
I suspect the ability of Javascript to deliver moving ads is the reason these behemoth websites require it - Javascript helps delivers them revenue.
Post a Comment
<< Home