Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Image

Fatal System Error 104

brothke writes "As computing and technology has evolved, so too have the security threats correspondingly evolved. The classic Yankee Doodle virus of 1989 did minimal damage, all while playing a patriotic, albeit monotone song. In 2010, aggressive malware now executes in stealth mode, running in the background with an oblivious end-user, and antivirus software that can’t detect it." Read on for the rest of Ben's review.
Fatal System Error: The Hunt for the New Crime Lords Who are Bringing Down the Internet
author Joseph Menn
pages 304
publisher PublicAffairs
rating 8/10
reviewer Ben Rothke
ISBN 978-1586487485
summary Non-fiction cyber-thriller with super analytical advice
Cybercrimes have evolved using increasingly sophisticated techniques, and the resulting financial losses are staggering. Many criminal cyber gangs are well organized and resourceful and their ability to recover after new defenses have been deployed make it a challenge for those on the right side of the law.

Fatal System Error: The Hunt for the New Crime Lords Who are Bringing Down the Internet is an excellent book billed as a non-fiction cyber-thriller, and describes the cyber gangs who operate on the Internet. Author Joseph Menn, a cyber security reporter for the Financial Times, takes the reader into the inner operations of today's cyber-criminal, who use the Internet as their personal mint.

While Willie Sutton never really said that the reason he robbed banks is because that's where the money is; the truth is that today's cyber criminal does know where the money is, and its address is the Internet. They use the net as a means to steal and extort money from businesses and individuals.

The book's protagonist is Barrett Lyon, a highly skilled technical engineer and entrepreneur, who founded companies such as Prolexic, BitGravity and 3Crowd. It was at Prolexic where Lyon developed the software used to fend off the DoS attacks that were bringing some of his client's networks to a standstill.

Lyon, along with the other major character in the book, Andy Crocker, a British policeman, were the 1-2 punch that resulted in the prosecution of a Russian cyber criminal. The fact that the prosecution took place via the Russian judicial system was a surprise to everyone. What was unusual about the prosecution is that criminals in Russia and Eastern Europe often operate with the assistance of corrupt political and police forces. Even though the evidence against the defendant was significant, the ability to secure a guilty verdict was far from a sure thing.

Much of the book deals with Lyon and his working relationship with BetCRIS, a company offering online gambling services, including sports betting, online casino games, online bingo and mobile gambling.

BetCRIS is an off-shore company, operating in the safe havens of the Republic of Costa Rica. In 2003, at the height of the DoS attacks, the BetCRIS website was down for nearly a month. With tens of millions of dollars of gambling revenue at stake, BetCRIS management were desperate for a solution, and they reached out to Lyon.

While Lyon created a first-generation solution to stop the early DoS attacks, the book details how the attackers were able to get around those countermeasures, and how it turned into a cat and mouse game of futility, where Lyon would create a fix, only to be beguiled by a new attack.

In the book, Menn writes about many of the major players in the Internet criminal world. He spends a good amount of time writing about the infamous Russian Business Network (RBN). He notes that little true business was carried out via the RBN; rather it was a front for Internet-based criminal activities in Russia.

Menn does get into some technical details, but not so much so to confuse a non-technical reader. He covers topics such as botnets, DoS and DDoS attacks, cyberwarfare, cyber espionage, and the difficulty in prosecuting the perpetrators.

Menn notes that there are many reasons why Russia and in Eastern Europe are ground zero for cybercriminals. The educational institutions there provide a good source of technical training; combined that with the fact that legitimate job opportunities are often quite limited. Add to the fact that political and law enforcement officials often ignore the cyber attacks again the rich capitalists of the US, the difficulty and challenges with jurisdiction, and you have a perfect storm for the creation of a sophisticated cyber criminal element. Finally, there is a long and established culture of corruption in Russia and in Eastern Europe that adds to the problem.

There are two directions that Fatal System Error takes. The main part of the book is Menn's narrative, which takes up 11 of the book's 12 chapters. These 11 chapters take the reader on an enthralling ride into the inner workings of the cyber-criminal world. Fatal System Error is an enjoyable read on par books such as The Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage and Takedown: The Pursuit and Capture of Kevin Mitnick.

Where the book truly stands out is in the final chapter Fixing What's Fixable, and is worth purchasing for that chapter alone. Menn displays his incredibly deep understanding of the underlying issues around computer security and why we are vulnerable. He suggests numerous pragmatic solutions to the crisis, and how to better secure the Internet and networks.

Some of the ideas include significantly greater budgets for information security, more liability against software developers who write insecure code, greater information sharing between the cybercrime agencies in the US and their counterparts in Russia, and more. His on-target analysis of what the US Government can and should do to increase the security of the Internet infrastructure is quite impressive.

Reading the narrative part of the book, many readers will likely be scared to death to connect their computers to the Internet, and to a limited degree, rightfully so. Even with Menn's balanced and compelling account of what transpired, the threat of identity theft and ease of how financial accounts are breached may be too much for some readers many to bear.

If corporate America and the US Government would take Menn's suggestions to heart on how to create a secure Internet infrastructure, many of those security concerns he wrote about could be obviated, and the cyber criminals of Eastern Europe would have to look for different work.

Additional pragmatic ideas that Menn suggests are to legalize and regulate online gambling, more funding to teach safer computing in schools, and for a complete re-engineering of the Internet, in order to build in the necessary security functionality which should have been in there in the first place. As part of the process to re-engineer the Internet, Menn suggests designs that create accountability into the Internet fabric.

Finally, Menn notes that many end-users are not blameless. By not educating themselves on how to securely use the Internet, they are setting themselves up to becoming victims. He writes that anyone that connects a computer to the Internet needs to have significant security vigilance to ensure that they don't make themselves a victim. It is 2010 and far too many people are still oblivious to the security threats. Many still naively believe that someone from Nigeria really does want to make them richer with tens of millions of dollars worth of gold from their deceased uncle.

Menn shows how the underlying infrastructure of the Internet is significantly more vulnerable than most people realize. Finally, what exacerbates the problem is that those doing the attacks are working much quicker than those who are trying to secure it.

One of Menn's criticisms is that the US Government spends a fraction of what it should on securing its critical technology infrastructure. Fatal System Error: The Hunt for the New Crime Lords Who are Bringing Down the Internet is the wake-up call that those in Washington, and those charged with IT need to wake up to. Unfortunately, it is likely those that truly need to read this book, will press the information security snooze button yet again.

Ben Rothke is the author of Computer Security: 20 Things Every Employee Should Know.

You can purchase Fatal System Error: The Hunt for the New Crime Lords Who are Bringing Down the Internet from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

*

This discussion has been archived. No new comments can be posted.

Fatal System Error

Comments Filter:
  • "Finally, what exacerbates the problem is that those doing the attacks are working much quicker than those who are trying to secure it."

    More $ to be made in attacking than defending.

  • Uh, no (Score:5, Insightful)

    by causality ( 777677 ) on Friday April 23, 2010 @10:19AM (#31955876)

    Additional pragmatic ideas that Menn suggests are to legalize and regulate online gambling, more funding to teach safer computing in schools, and for a complete re-engineering of the Internet, in order to build in the necessary security functionality which should have been in there in the first place. As part of the process to re-engineer the Internet, Menn suggests designs that create accountability into the Internet fabric.

    Great, so they want to redesign the Internet because people don't want to learn how to identify a phishing site and can't understand that giving your account numbers to unverifiable strangers is a bad idea? No thanks. A fool and his money are soon parted and there's not much you're going to change about that. Also, I'm sure that "accountability" is a euphamism for "tracked everywhere you go even more than you are now". Seems to me they are trying to increase protection against petty criminals while drastically reducing protection against overzealous governments that want to censor.

    • Re:Uh, no (Score:4, Insightful)

      by caffeinemessiah ( 918089 ) on Friday April 23, 2010 @10:24AM (#31955956) Journal

      Great, so they want to redesign the Internet because people don't want to learn how to identify a phishing site and can't understand that giving your account numbers to unverifiable strangers is a bad idea?

      Oh please, I think Sony put an end to the delusion that only grandmas and morons are susceptible to phishing or malware. Allow me to give you an example which most people here won't be able to do detect instantaneously: zero-day exploit in Flash + rootkit + trojan. I run a tight ship like the next nerd, but my AV software still flags trojans that somehow make it onto my system from time to time, and those are only the ones that it CAN detect.

      And yes, there are zealots who will undoubtedly say things like "Flash is for suckers" or "what do you expect with Windows?", but these people should consider the fact that (a) not everyone lives in caves, and (b) some people just have more important things to worry about, like losing their homes.

      • Re:Uh, no (Score:5, Insightful)

        by causality ( 777677 ) on Friday April 23, 2010 @10:45AM (#31956250)

        Great, so they want to redesign the Internet because people don't want to learn how to identify a phishing site and can't understand that giving your account numbers to unverifiable strangers is a bad idea?

        Oh please, I think Sony put an end to the delusion that only grandmas and morons are susceptible to phishing or malware. Allow me to give you an example which most people here won't be able to do detect instantaneously: zero-day exploit in Flash + rootkit + trojan. I run a tight ship like the next nerd, but my AV software still flags trojans that somehow make it onto my system from time to time, and those are only the ones that it CAN detect.

        And yes, there are zealots who will undoubtedly say things like "Flash is for suckers" or "what do you expect with Windows?", but these people should consider the fact that (a) not everyone lives in caves, and (b) some people just have more important things to worry about, like losing their homes.

        Flash is known insecure software with a terrible track record, and I treat it as such. I obviously can't make others do the same but they're crazy not to. It undoubtedly helps that I am not using Windows (just why that helps is a separate debate). That to me is basic common sense combined with a few minutes of Googling. If that's the standard now for "living in a cave" then the standards these days are quite low. For your item "b" there, it's a lot easier to keep your home when some criminal hasn't drained your bank accounts for you.

        It's not about Flash, Windows, living in caves, or having other concerns in life. No, those are all distractions from the actual issue, and you can tell because they're always said in the same irritated emotional tone. It's about two different mentalities. They come up in lots of otherwise unrelated issues including those that are much more political in nature. One mentality wants to look after its own interests and equip itself in order to protect itself. The other believes that is too much of a bother, not their problem, or otherwise is someone else's job. I do not exaggerate in the least when I say that big government of the "we know what's good for you" variety derives most of its existence from the latter because these people want someone to take care of them, almost like children.

        So I secure my systems after teaching myself how to do so, and I study good practices. Another person thinks this is too much of a bother and goes with whatever vendor defaults his system came with because to him, security is that vendor's problem only. Guess who gets compromised? Which do you suppose is an easier target? It's not about time or any of those other excuses because you always have time for something you consider important. "I don't have time" is a cute way of saying "this is not a priority". It's about personal responsibility and whether you realize that no one wants to protect your interests quite as much as you do, that all the tools and information you need are out there. Do I have time to be personally responsible and take only the amount of risk I want to take instead of being helplessly dependent on someone else to protect me? Yes, I do have time for that, no caves required.

        • by denobug ( 753200 )
          Let's see, running is perfectly secure system vs. running a mission-critial system that has real-world pernonnel, equipment, and environmental damage should it fail? If those two are mutually exclusive then I choose the later, segregate and isolate the network and running locally with no outside connections.

          We don't live in a perfect world. Unfortunately there are legacy softwares that the accompanying control hardware is difficult to be upgraded espeically if it is running at all times and it takes si
      • Oh please, I think Sony put an end to the delusion that only grandmas and morons are susceptible to phishing or malware

        You mean the people who had autorun enabled, allowing this to happen?

        Allow me to give you an example which most people here won't be able to do detect instantaneously: zero-day exploit in Flash + rootkit + trojan.

        Unless, of course, you disable flash by default and only enabled it for sites you can reasonably trust. While this isn't going to be 100% bulletproof, for most people it would stop this as a vector.

        but my AV software still flags trojans that somehow make it onto my system from time to time, and those are only the ones that it CAN detect.

        THen you're doing it wrong.

        Since the computer is just an appliance to most people (and it is), I used to think that people weren't really wrong in not wanting to think about such common sense steps as would let them prevent harm to themselve

        • by lgw ( 121541 )

          The days when you had to actively do somehting silly, like run an executable, to have malware show up are long gone. Oh, sure, it's possible to disable enough of the functionality of a home computer that you can browse the web safely, but there's not a lot left once you've done so. Yes, this is /. and some people enjoy using Linx, but it's gotten to the point where you can't safely have a PDF viewer.

          The only way to browse safely these days is to create a VM just for that purpose, and roll it back when you'

          • I disagree. The steps are not so simple to take anymore, but they're still there.

            1. Install your PDF viewer of choice, but disable the web browser integration so that it can never open a PDF without your knowledge.

            2. Keep Flash installed, but use a plugin to disable it unless you want to turn it on. Same for Java and Silverlight. The only thing that's a bit silly about this is that it really shouldn't require a plugin.

            3. All the usual - don't install things unless you know they're from trusted indi

            • by lgw ( 121541 )

              That's a complicted list to follow, even for a geek, and it has this big downside: I want to see PDFs in my broswer, and flash, and javascript, and etc. Your asking me to do a lot of work in order to be penalized.

              Proper sandboxing is a much better answer - you still have to worry about jailbreaks, but that's all you have to worry about, unless you really are stupid enough to run random executables. Fortunately, app sandboxing through virtualization is here already, it just needs to mature a bit (whether i

    • Re: (Score:3, Insightful)

      by rickb928 ( 945187 )

      "Great, so they want to redesign the Internet because people don't want to learn how to identify a phishing site and can't understand that giving your account numbers to unverifiable strangers is a bad idea?"

      Uh, no. With MITM attacks, spoofing raised to a fine art, SSL hijacks of any number of diffeent methods, fake/spoofed/stolen certificates, it can be very, very hard to avoid making a mistake and trusting something you should not.

      "No thanks. A fool and his money are soon parted and there's not much you'

      • Re: (Score:3, Insightful)

        by causality ( 777677 )

        Uh, no. With MITM attacks, spoofing raised to a fine art, SSL hijacks of any number of diffeent methods, fake/spoofed/stolen certificates, it can be very, very hard to avoid making a mistake and trusting something you should not.

        I agree that there are sophisticated methods by which a determined adversary concentrating his efforts against a particular target might effect a compromise. However, if all compromises were of this type only, then ID theft would be a nearly unknown crime and botnets unheard-of.

        • I managed a very small ISP for a while on the 90s, and have my own mail and web servers to this day.

          The definition of 'lowest-hanging fruit' for all the attackers out there is much broader than you implied. If you have a host accessible via the Internet, you ARE a target. You are being attacked now, this very minute. That you deflect those attacks ahead of the host at firewall, router, or application level doesn't change that. It just makes your logs bigger or smaller.

          Your operating system choice makes no

          • Re: (Score:3, Interesting)

            by causality ( 777677 )

            I managed a very small ISP for a while on the 90s, and have my own mail and web servers to this day.

            The definition of 'lowest-hanging fruit' for all the attackers out there is much broader than you implied. If you have a host accessible via the Internet, you ARE a target. You are being attacked now, this very minute. That you deflect those attacks ahead of the host at firewall, router, or application level doesn't change that. It just makes your logs bigger or smaller.

            Your operating system choice makes no difference. They attack everything. You just use different tools and methods depending on what's available and what works.

            I know what you mean. I run a very small-scale personal-use SFTP server (no shell access for any account) so I can access some of my files remotely. I use SSHGuard to hinder brute-force attacks and LogSentry to keep abreast of the activity. I constantly receive attacks at all hours of the day. They're quite dumb and have little or no sophistication; most are just trying to guess default passwords for system accounts and such.

            I have told many people the same thing you just said. I have explained that

            • "I have explained that if you run any sort of Internet-facing network service, you will get attacked and probably with high frequency."

              Actually, you might want to be more accurate. They -ARE- being attacked, whether they know it or not. Not knowing it leads easily to not knowing they ahve been compromised. They -ARE- being attacked. Not 'will'.

              "When you build everything from source, you can implement protections against buffer overflows and other vulnerabilities that aren't available on a closed-source

              • well, not everyone who wants to run an Internet server is a programmer, or has skills in security or OS management. If you follow the lead of many in the community, you will say that if they don't know what they are doing, they shouldn't be doing it. Well, that's close to telling people that it is not safe, so don't. This makes the Internet a different place than the creators intended, but it may in the end be unavoidable.

                I personally intrepret that a different way. To me, it means "another person taught

            • by lgw ( 121541 )

              Well, there are systems obscure enough to remain secure, but certainly not any flavor of Linux or BSD. That guy who wrote the Commodore 64-based web server? He's probably OK, as are people who've written an OS that's substantively their own (this used to be pretty common for old mainframes running some varient of DOS/VSE, but most of that hardware is dead now).

              I wonder about Netware. I know that some Three Letter Agencies used to make good use of Netware, which seemed smart to me as all the people who kn

    • by medcalf ( 68293 )
      Well, yes. When you have a tool that is easily abused, you redesign it to be less easily abused. The Internet is far, far past its optimal expiration life and design use cases, kept alive by the cost of replacing it with something better. The evidence for the Internet being past its optimal life is the prevalence of spam, malware and botnets. While no system can be completely secure, it's possible (via non-deniability if you're feeling big brotherish, or webs of trust if you're feeling libertarian, and pack
      • by Hatta ( 162192 )

        Redesigning the internet so it can be controlled by a powerful few would be much more prone to abuse than the current internet.

    • Great, so they want to redesign the Internet because people don't want to learn how to identify a phishing site and can't understand that giving your account numbers to unverifiable strangers is a bad idea? ... Seems to me they are trying to increase protection against petty criminals while drastically reducing protection against overzealous governments that want to censor.

      You have a very narrow view of what is and isn't a vulnerablility on the internet.

      We're not just talking phishing sites and nigerian scammers. Man-in-the-middle attacks, fake certs, Pakistan accidentally nuking YouTube with faulty BGP routing info, etc etc etc. The status quo is almost entirely trust based and in the long run, cannot stand.

      • Great, so they want to redesign the Internet because people don't want to learn how to identify a phishing site and can't understand that giving your account numbers to unverifiable strangers is a bad idea? ... Seems to me they are trying to increase protection against petty criminals while drastically reducing protection against overzealous governments that want to censor.

        You have a very narrow view of what is and isn't a vulnerablility on the internet.

        We're not just talking phishing sites and nigerian scammers. Man-in-the-middle attacks, fake certs, Pakistan accidentally nuking YouTube with faulty BGP routing info, etc etc etc. The status quo is almost entirely trust based and in the long run, cannot stand.

        The nice thing about trust-based situations is that you can choose to regard them as untrustworthy and proceed accordingly. It's a rare day indeed that I hear of a compromise where someone chose to do this.

    • by Creepy ( 93888 )

      of course, we have exactly what he's asking for - it's called IPv6 - built in unique ID, built in security (IPsec), and nobody would ever want to use NAT (at least that's what a KAME developer told me, lol).

      Of course, if you're a little paranoid, you'd realize marketing and governments know exactly who uses every box. Not something I like to think about...

  • by Anonymous Coward
    There's 3 different tones in the first 4 notes alone, goodness!!!
  • Pedantic, but... (Score:2, Informative)

    by Anonymous Coward

    monophonic != monotone

    • Re: (Score:3, Insightful)

      That's not pedantic, that's basic terminology. MonoTONE would be one TONE. Monophonic would be one "sound" [at a time]. The "monotonic Yankee Doodle" does not even make sense...
      • That's not pedantic, that's basic terminology. MonoTONE would be one TONE. Monophonic would be one "sound" [at a time]. The "monotonic Yankee Doodle" does not even make sense...

        I never heard the original Yankee Doodle virus, but the quality of computer sound used to be quite bad, and "Yankee Doodle" played without pitch changes would still be recognizable from the rhythm.

        • but the quality of computer sound used to be quite bad, and "Yankee Doodle" played without pitch changes would still be recognizable from the rhythm.

          If they actually meant monotone... but it's difficult to believe that in 1989, the computer-generated sound was actually monotonic.

      • Yep, i.e., a single note at a time, no multi-note harmonies.

        All you pedants go dig deeper with harmonic frequencies and more acoustics signal processing for your own amusement if you like.

        • "Multi-note harmonies" = polyphony.

          It's not a pedantic. It's the meaning of the word. Flat. Unvarying. Never changes. an unchanging intonation according to Google.

          I am pretty sure this would be similar to me saying that Linux == Ubuntu. Most people would not particularly like that here ;)

          • I was agreeing with you, but was suggesting the use of the term "note" instead of "sound" as a better alternative to convey your meaning. The "pedants" I had in mind were those who would go on about how a "note" can contain multiple harmonics, and so forth, unless the note is a sign wave.
  • by Areyoukiddingme ( 1289470 ) on Friday April 23, 2010 @10:40AM (#31956178)

    Somehow it appears the book reviewer confused Slashdot for the Ladies Home Journal. Was it really necessary to use the "cyber" prefix 47 times? Really? Because we're so impressed when it's a cybergang, instead of just a gang.

    One hopes the book isn't that bad...

    • by khasim ( 1285 ) <brandioch.conner@gmail.com> on Friday April 23, 2010 @10:51AM (#31956346)

      He knew there was a cyber-gang out there waiting to commit their next cyber-crime. Frank knew he had to catch them with the cyber-goods. Frank's 45 wouldn't be much help on this cyber-collar. Frank needed something better. Frank needed a cyber-45. Frank knew only one person who could supply him with that, Cyber-Jimmy. The best cyber-fence in the cyber-world. Frank pulled up to the next cyber-phone to give Cyber-Jimmy a cyber-call.

      The cyber-phone cyber rang.

      Cyber-Smurf here, came the reply.

  • by gx5000 ( 863863 ) on Friday April 23, 2010 @10:52AM (#31956352)
    All i see is another book that uses paranoia and fear to sell....
    Hidden code...oooo....Stealth Mode executing..aahhhhh...Root kits ! *GAG*

    I know we're talking about the common user here....
    But drive a car with no regards and you get the same thing...an accident.
    Get a mechanic, a good one that can show you the pratfalls and some fixes.

    But if you drive like a fool and visit "those" sites you get what you get.
    Get Acronis a re-image your ass every week....you'll be fine.
    • by Machtyn ( 759119 )
      The problem is, most people don't know they should get themselves a good computer mechanic to show them the ropes. There is no real manual to safe computing or rules of the road for computers. That is, when you get a car, you license yourself and basically prove you know how to use it so as not to endanger yourself and others.

      I hate to say it because it will make me sound one-sided, but Microsoft's control on the market is a huge detriment to security. The major computer manufacturers still don't prelo
      • by gx5000 ( 863863 )
        Rambling ? not at all... Do we need to say it ? Planned absolesense and degradation.... You could make a bullet proof internet client etc... The next thing you know it would come under state control... The Kaotic nature of the web is what keeps it free and dangerous... The lack of education (not tools) is what keeps the revenues up.... If every ISP terminated all nefarious websites and accounts they would lose untold millions... It's the old perfecting the battery story, if you make something that good, yo
    • Not going to "those" sites is not enough anymore. An employee of ours recently got a virus from a pdf exploit from the website for the Professional photographer for a family wedding. Her website got hacked, and without realizing it she was infecting all the customers she sent links to review their photos so they could order copies. I confirmed it myself with a VM. It blew right through a fully updated AV, and reader plug-in was only about 30 days out of date. Telling users not to go to the "bad" places

  • Missing something? (Score:5, Informative)

    by American AC in Paris ( 230456 ) on Friday April 23, 2010 @10:56AM (#31956428) Homepage

    "As computing and technology has evolved, so too have the security threats correspondingly evolved. The classic Yankee Doodle virus of 1989 did minimal damage, all while playing a patriotic, albeit monotone song. In 2010, aggressive malware now executes in stealth mode, running in the background with an oblivious end-user, and antivirus software that can’t detect it."

    Yeah, the 1989 Yankee Doodle virus was pretty harmless.

    You need to go all the way back to 1988 to find a worm which effectively shut down the Internet.

    How one can overlook the Morris Worm in this context is completely beyond me.

    • by gx5000 ( 863863 )
      Well put... Melissa probably reduced him to tears...ugh
    • Re: (Score:1, Funny)

      by Anonymous Coward

      The Morris worm affected Unix.

      Unix is completely safe.

      Therefore, the Morris worm never happened.

    • Exactly. Even if you look at just viruses for Microsoft platforms, Dark Avenger came out in 1989, spread wildly and destroyed user data without caution.

  • by Anonymous Coward

    #1 - The first rule of cyberwarfare is, you do not talk about Microsoft.

    #2 - The second rule of cyberwarfare is, you DO NOT talk about Microsoft.

  • by wiredog ( 43288 ) on Friday April 23, 2010 @11:28AM (#31956946) Journal

    more liability against software developers who write insecure code

    So now we have to buy expensive insurance before we write OSS code? What about the liability of students?

    • more liability against software developers who write insecure code

      So now we have to buy expensive insurance before we write OSS code? What about the liability of students?

      If done sensibly, you'd have to buy insurance if you sell software. If you take money for it, you should also take responsibility for it.

    • I guess the question to ask is - what is more vulnerable to to virus threats, Linux (OSS) or Windows (Closed source)?
      Nuff said.
  • Comment removed based on user account deletion
    • Re: (Score:1, Interesting)

      by Anonymous Coward

      dude, this is /.

      they hate, they judge, and never read the books :)

      seriously...look at all fo the comments for this and others books.
      the people who comment obsess on tiny little things (for this review, the word 'cyber'),
      but they never discuss the merits of the book.

      i feel your pain.

  • Who needs malware when we have McAfee anti-virus signature file updates?

  • by nuckfuts ( 690967 ) on Friday April 23, 2010 @01:53PM (#31958902)

    malware now executes in stealth mode, running in the background with an oblivious end-user

    I've long need puzzled by malware that doesn't do this. Many trojans I've cleaned from people's computers download other pieces of malware. I once gave a demonstration of "drive-by" infection where merely viewing a malicious web page on an unpatched system resulted in nearly 20 new processes being spawned in the background. Impressive, in a way, but exceedingly obvious. Even clueless users can't help but notice that something is wrong, and IT gets called in to clean it.

Don't tell me how hard you work. Tell me how much you get done. -- James J. Ling

Working...