Is It A Good Idea To Violate The Security Of Your Customers If They're Security Ignorant?

from the asking-for-serious-trouble dept

Rich Kulawiec writes in to point out that security expert Dan Geer is suggesting that merchants violate the security of customers they deem as security risks. His argument is, basically, that there are two types of users out there: those who respond "yes" to any request -- and therefore are likely to be infected by multiple types of malware doing all sorts of bad things -- and those who respond "no" to any request, who are more likely to be safe. Thus, Geer says merchants should ask users if they want to connect over an "extra special secure connection," and if they respond "yes," you assume that they respond yes to everything and therefore are probably unsafe. To deal with those people, Geer says, you should effectively hack their computer. It won't be hard, since they're clearly ignorant and open to vulnerabilities -- so you just install a rootkit and "0wn" their machine for the duration of the transaction.

As Kulawiec notes in submitting this: "Maybe he's just kidding, and the sarcasm went right over my (caffeine-starved) brain. I certainly hope so, because otherwise there are so many things wrong with this that I'm struggling to decide which to list first." Indeed. I'm not sure he's kidding either, but the unintended consequences of violating the security of someone's computer, just because you assume they've been violated previously are likely to make things a lot worse. This seems like a suggestion that could have the same sort of negative unintended consequences as the suggestion others have made about creating "good trojans" that go around automatically closing the security holes and stopping malware by using the same techniques employed by the malware. Both are based on the idea that people are too stupid to cure themselves, and somehow "white hat" hackers can help fix things. Now, obviously, plenty of people do get infected -- but using that as an excuse to infect them back, even for noble purposes, is only going to create more problems in the long run. Other vulnerabilities will be created and you're trusting these "good" hackers to do no harm on top of what's been done already, which is unlikely to always be the case. No, security will never be perfect and some people will always be more vulnerable -- but that shouldn't give you a right to violate their security, even if for a good reason.

Filed Under: botnets, computers, dan geer, rootkits, security, vulnerabilities


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. identicon
    Anonymous Coward, 22 Nov 2007 @ 1:39pm

    Even if the user agrees, it's still illegal to do so *cough* Sony rootkits *cough* and we've all seed the multi-million dollar class-action lawsuits.

    Is the person who came up with the idea stupid? Yes. Are users just as stupid? Yes. Does that justify installing malware? No.

    Anything that 'pops up' could be seen as spam, and oh whooops, I accidentally clicked yes instead of no, so I must be a retard that deserves to get rootkitted. Nice flawed stupid logic, he should work for M$!

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Insider Shop - Show Your Support!

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.