Is It A Good Idea To Violate The Security Of Your Customers If They're Security Ignorant?

from the asking-for-serious-trouble dept

Rich Kulawiec writes in to point out that security expert Dan Geer is suggesting that merchants violate the security of customers they deem as security risks. His argument is, basically, that there are two types of users out there: those who respond “yes” to any request — and therefore are likely to be infected by multiple types of malware doing all sorts of bad things — and those who respond “no” to any request, who are more likely to be safe. Thus, Geer says merchants should ask users if they want to connect over an “extra special secure connection,” and if they respond “yes,” you assume that they respond yes to everything and therefore are probably unsafe. To deal with those people, Geer says, you should effectively hack their computer. It won’t be hard, since they’re clearly ignorant and open to vulnerabilities — so you just install a rootkit and “0wn” their machine for the duration of the transaction.

As Kulawiec notes in submitting this: “Maybe he’s just kidding, and the sarcasm went right over my (caffeine-starved) brain. I certainly hope so, because otherwise there are so many things wrong with this that I’m struggling to decide which to list first.” Indeed. I’m not sure he’s kidding either, but the unintended consequences of violating the security of someone’s computer, just because you assume they’ve been violated previously are likely to make things a lot worse. This seems like a suggestion that could have the same sort of negative unintended consequences as the suggestion others have made about creating “good trojans” that go around automatically closing the security holes and stopping malware by using the same techniques employed by the malware. Both are based on the idea that people are too stupid to cure themselves, and somehow “white hat” hackers can help fix things. Now, obviously, plenty of people do get infected — but using that as an excuse to infect them back, even for noble purposes, is only going to create more problems in the long run. Other vulnerabilities will be created and you’re trusting these “good” hackers to do no harm on top of what’s been done already, which is unlikely to always be the case. No, security will never be perfect and some people will always be more vulnerable — but that shouldn’t give you a right to violate their security, even if for a good reason.

Filed Under: , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Is It A Good Idea To Violate The Security Of Your Customers If They're Security Ignorant?”

Subscribe: RSS Leave a comment
Evil Mike (profile) says:

The depths of nobility and depravity capable by humans are totally available to this discussion…

There are those with the skills and desire to help the ignorant do indeed exist, but I doubt they’ll be hired by corporations.

For all we know, some of the “good” things described have already been done.

Though, that doesn’t touch the ethical considerations mentioned herein. :p

zcat says:

Easier test...

I just assume that everyone running windows is already hacked and that everyone running a *NIX-based OS such as OSX, Linux, or BSD is secure.

The assumption that all windows users are 0wned is correct at least 60% of the time, according to the information I have available. The assumption that non-windows users are secure is correct at least 98% of the time.

What I’d really like to know is how you write a ‘r00tkit’ that’s smart enough to deal with a completely unpredictable environment of malware, and which may already be running under the mother of all rootkits, a VM within a malicious hypervisor.

Peet McKimmie (profile) says:

I remember this happening 20 years ago...

It was back in the heyday of the Atari ST, when floppy-disk viruses tended to be more playful than malicious. One common virus just swapped all your mouse directions by reprogramming your keyboard, so you had to turn the mouse upsides-down to use it sensibly. A month or so later there was a “blank” floppy disk available through the ST PD community that was “infected” deliberately with a virus that overwrote the mouse-swapper virus and then “inoculated” the bootsector to prevent it from recurring. The idea was that you made sure your most commonly used disks were infected/inoculated and then just let the rest of your data disks get cleaned as and when you got round to using them.

I thought it was kind of cool. 🙂

Kevin says:

zcat is wrong...

The assumption that all windows users are 0wned is correct at least 60% of the time, according to the information I have available.

The assumption that all Windows users are 0wned is correct absolutely 0% of the time, as long as there is a single un-0wned Windows user. The assumption that any particular user is 0wned simply because they use Windows might be accurate 60% of the time, but that’s a far cry from what you were saying.

But back to the original article. There’s two major problems with this issue. Firstly, it is likely illegal. But more importantly, it’s not logically sound. It is completely based on a single assumption, and that is that people will always click ‘yes’ or always click ‘no’. It completely fails to account for a third part of the computer using populace which could be described as “people who sometimes click ‘yes’ and sometimes click ‘no’. This includes people like me, who are generally pretty paranoid and usually click ‘no’ to everything, but prefer to use the most secure methods possible when available.

The described system only functions correctly when the assumption that it is based on is true, and since that assumption is not true, it’s unlikely that you could build an effective system based on it.

zcat says:

fucking grammar nazis

The assumption that any particular windows user is 0wned is correct at least 60% of the time, according to information I’ve seen recently.

And yes, I am aware that some mac users and a very small number of Linux noobs are 0wned without knowing it. That’s why I said 98% rather than 100%.

Also there’s nothing stopping MSIE on an 0wned Windows machine from identifying itself as “Firefox/Linux”.

The real answer is that you communicate cryptographically with hardware that’s not so easily 0wned (USB security device, TCP module) or you rely on a completely independent channel such as SMS to confirm that the primary channel isn’t being messed with.

Of if that’s too hard, you accept that there will be some loss and take out insurance.

Chris says:

Real world scenario

Let me put this in a real world scenario for you to see if you still feel the same way.

You’re standing on once side of fence. On the other side you can see someone getting robbed of all their money. You know that if you go over there you can stop the robbery. There is an unlocked gate in the fence next to you. On the gate is a sign that says entry explicitly forbidden. What would you do?

zcat says:

That depends..

How likely is it that after you’ve stopped the robbery, the victim goes ahead and sues you for illegally entering their property?

Besides it’s not actually like that. You can’t actually see through the fence, you have to tresspass first. You might stop a robbery, or you might just be tresspassing. Is it OK to go entering other people’s property simply because it’s insecure and they _could_ be being robbed?

zcat says:

More depends..

Continuing the analogy.. You enter the property, the robber’s accomplice takes you by surprise and relieves you of your weapon. Now you’ve supplied the them with a weapon that can be used in future robberies. Or at the very least they know what weapon you carry and will be prepared for it at the next robbery.

This is a really strained analogy 🙂

Anonymous Coward says:

Even if the user agrees, it’s still illegal to do so *cough* Sony rootkits *cough* and we’ve all seed the multi-million dollar class-action lawsuits.

Is the person who came up with the idea stupid? Yes. Are users just as stupid? Yes. Does that justify installing malware? No.

Anything that ‘pops up’ could be seen as spam, and oh whooops, I accidentally clicked yes instead of no, so I must be a retard that deserves to get rootkitted. Nice flawed stupid logic, he should work for M$!

HCC says:

As soon as this is tried on anyone ‘sufficiently skilled in the art’, it becomes an open question just who’s computer gets control…

Personally I’d find it rather funny to have some idiot open a connection I know about in advance, in an attempt to take over my computer…

This idea, if implemented would be very short lived… but would add a few more corporate level systems to the bot nets… or worse.

GNU/Linux is the future.

mb says:

For every foolproof system we develop, nature will counter with a ‘new and improved fool’. Social engineering continues to plague what was once mitigated by common sense. Still a sad story that humans still believe that computers or AI can replace intelligence and accountability. It’s sad that one wants to surrender the power of choice to be less accountable or responsible. I’d prefer a ‘none of the above’ response or a force quit routine depending on the nature of the site. While the masses are still trying to respond, i’ll be happily automating a process to assist me in avoiding their interuptions on my cell phone as they nag “can I have a moment of your time so you can assist me in my world until I finally decide you are no longer important to me”?

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...