Is It A Good Idea To Violate The Security Of Your Customers If They're Security Ignorant?

from the asking-for-serious-trouble dept

Rich Kulawiec writes in to point out that security expert Dan Geer is suggesting that merchants violate the security of customers they deem as security risks. His argument is, basically, that there are two types of users out there: those who respond "yes" to any request -- and therefore are likely to be infected by multiple types of malware doing all sorts of bad things -- and those who respond "no" to any request, who are more likely to be safe. Thus, Geer says merchants should ask users if they want to connect over an "extra special secure connection," and if they respond "yes," you assume that they respond yes to everything and therefore are probably unsafe. To deal with those people, Geer says, you should effectively hack their computer. It won't be hard, since they're clearly ignorant and open to vulnerabilities -- so you just install a rootkit and "0wn" their machine for the duration of the transaction.

As Kulawiec notes in submitting this: "Maybe he's just kidding, and the sarcasm went right over my (caffeine-starved) brain. I certainly hope so, because otherwise there are so many things wrong with this that I'm struggling to decide which to list first." Indeed. I'm not sure he's kidding either, but the unintended consequences of violating the security of someone's computer, just because you assume they've been violated previously are likely to make things a lot worse. This seems like a suggestion that could have the same sort of negative unintended consequences as the suggestion others have made about creating "good trojans" that go around automatically closing the security holes and stopping malware by using the same techniques employed by the malware. Both are based on the idea that people are too stupid to cure themselves, and somehow "white hat" hackers can help fix things. Now, obviously, plenty of people do get infected -- but using that as an excuse to infect them back, even for noble purposes, is only going to create more problems in the long run. Other vulnerabilities will be created and you're trusting these "good" hackers to do no harm on top of what's been done already, which is unlikely to always be the case. No, security will never be perfect and some people will always be more vulnerable -- but that shouldn't give you a right to violate their security, even if for a good reason.

Filed Under: botnets, computers, dan geer, rootkits, security, vulnerabilities

Reader Comments

Subscribe: RSS

View by: Time | Thread

  1. identicon
    Kevin, 22 Nov 2007 @ 8:49am

    zcat is wrong...

    The assumption that all windows users are 0wned is correct at least 60% of the time, according to the information I have available.

    The assumption that all Windows users are 0wned is correct absolutely 0% of the time, as long as there is a single un-0wned Windows user. The assumption that any particular user is 0wned simply because they use Windows might be accurate 60% of the time, but that's a far cry from what you were saying.

    But back to the original article. There's two major problems with this issue. Firstly, it is likely illegal. But more importantly, it's not logically sound. It is completely based on a single assumption, and that is that people will always click 'yes' or always click 'no'. It completely fails to account for a third part of the computer using populace which could be described as "people who sometimes click 'yes' and sometimes click 'no'. This includes people like me, who are generally pretty paranoid and usually click 'no' to everything, but prefer to use the most secure methods possible when available.

    The described system only functions correctly when the assumption that it is based on is true, and since that assumption is not true, it's unlikely that you could build an effective system based on it.

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here

Subscribe to the Techdirt Daily newsletter

Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Insider Shop - Show Your Support!

Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Report this ad  |  Hide Techdirt ads
Recent Stories
Report this ad  |  Hide Techdirt ads


Email This

This feature is only available to registered users. Register or sign in to use it.