Aliens, astronauts and Pope partition PC World
Shareholders welcome their new overlords
The story of the downfall of teen botnet master SoBe had you arguing over where the blame fell and how much went to whom. It got pretty lively:
Another Skiddie bites the dust but the problem remains. As I see it, he's guilty of what he did but partial guilt belongs to those who do not take basic steps to secure their machines and/or exercize common sense. I also hold Microsoft (and to a much lesser extent other software companies) responsible for their atrocious attitude to and track record on security.
A basic flaw, for example, with Windows (until Vista at least) is that by default, on home user systems, a user account has full administrative rights with no challenge dialogs generated when they are used. Worse, an awful lot of software, written by Microsoft as well as others, will not even install or in some cases execute, without such privileges.
This guy was not really talented, not especially intelligent, but he learned that it was relatively easy and financially rewarding to use his skills, such as they were, to compromise poorly protected and/or ineptly used machines, for a bare minimum of effort on his part. It also clearly made him feel 'big' and 'clever', plastering over his poor self esteem. In short: The American Dream (tm).
This skiddie isn't the first and he will not be the last, in fact, until Joe Luser takes some responsibility for the security of his machine and exercizes some common sense and moral judgement (how about not downloading that 'free', i.e. stolen, version of your favourite software? The one loaded with trojans.) this problem will be with us, no matter how hard people work on education of users, removal of the payloads, prosecution of the perpetrators and so on.
John PM Chappell
Actually, a victim can be considered to have supplied provocation or mitigating circumstances, so aye, pretty much.
Where I come from (Scotland) it is a more serious offence to steal from a secured vessel or premises than from one which was not. This is because the law recognizes that when a person takes steps to secure their property (and privacy) those who then commit offences against it have shown a determination to do so not merely stumbled upon it and taken advantage ('opportunity crime'). I think this is directly applicable as an analogy for what happened with these botnets; through ignorance or casual disregard many of the bot hosts failed to secure their machines and were compromised.
It's not fashionable to point this out in the present world of "Teh IntarWeb" and "Web 2.0" but connecting machines to a network is inherently risky unless you control all the machines on that network and/or trust all the users. Connecting your machine to a global network via an 'always on' connection and leaving it powered on for most of the day is quite literally asking for trouble. If you want to do this you need to take some common sense measures, ideally you make sure you are sitting behind a real firewall (software is _not_ a firewall, folks, no matter what MS or MacAfee tell you) with your machine using a non-routable address and that the firewall operates proper port access protocols. This used to require some savvy and a bit of cash but today you can get it for free from an ISP or shell out maybe 40 quid at Tesco.
All that said, you ignored the fact that I clearly said the skiddie's actions were not excused, rather I pointed out how an unremarkable teen can commit these actions easily because of the failings of others, including the user of the compromised machines.
[Penguin because it goes a long way towards stopping this kind of stuff]
John PM Chappell
Mini skirt, prancing, leaving your doors unlocked, passing the blame to Microsoft, blaming the victim in general?
None of that is an excuse for someone. It's as bad as saying "Well, the victim shouldn't have left their house door open while they mowed the lawn, it's their own damn fault that I was able to walk in, steal their TV and Stereo!".
I, for one, hope this little shithead gets ten years in Federal prison.
Personally, I'd like a return to 'justice', Mongolian style. Back in the 13th century, a women could walk, naked and draped in gold chains, from China to Hungary. Anyone touched her, the mongol army would 'discourage' them and make sure that they never, ever, repeated their crime.
Same thing should apply to this kind of idiot, ten years in Federal prison, and a court order to never even touch a computer again, on pain of a life sentence.
Like it or not, 'Joe Luser' on his computer pays the bills. The rest of us whoa re properly educated in being totally and uncompromising paranoid have to live with it.
While reading all of the comments, I noticed people are questioning his intelligence because of some of his actions that got him caught. I would argue there is a big difference between acting based on naiveté and acting based on stupidity. He was a kid, and did things that kids do because they do not have the "common sense", "life experience", "street sense", or "life experience" to know not to do certain things. Unless, of course, you are stupid enough to think you really did have life mastered by the age of 18.
From reading the article, it is obvious his naiveté got him caught, not a lack of intelligence. Too bad he could not have met a better mentor to direct his skill and motivation to something more legal and ultimately profitable.
Microsoft has fingered computer makers over the fiasco that was the release of Windows XP Service Pack 3. The software behemoth blamed OEMs loading the wrong "Sysprepped"* XP image on to machines with non-Intel chipsets for causing the problems. You still had harsh words to say about Microsoft:
Typical MS fragility to assume that every file is in exactly the right place and every reg key is set exactly right.
If MS has known about this issue for 4 years, seems like that's enough time to put a fix in for it. Or is it too much to ask for a good customer experience.
This isn't really a MS bash, more an observation, but I would have though MS's internal testing (and betas?) would have tested the SP against common customer configurations?
This sort of configuration sounds common enough to me (subjective I guess given the media talk surrounding it) and they knew about it in 2004, so why not specifically test such a case?
It sounds a bit like MS getting annoyed with OEMs doing that, and so deciding to screw them over. Those who insta-blame MS suddenly look bad temporarily and MS get to blame someone else, so MS look like the heroes here until they mess up the next time... got to love PR.
I put SP3 on my fully patched up to date intel machine. I run it as a trim machine (XP, ha ha) with the minimum of extra software installed and the SP3 installer tells me it can't install SP3 as "As an extra install/update is needed first" but won't tell me what.
Well maybe it's done me a favour, so *Shrug*
Like lots of smart IT-savvy folks have pointed out, this can affect any platform. If you have a *nix system and decide one day you want to plug your HD into a brand-new-to-the-market RAID controller. Your machine will POST fine, and most likely even get to the boot loader OK, since that's typically a lower level INT/BIOS function to get the drive spinning to a point where the system can recognize it. Yet, when the platform loads, it may panic/blue screen since the OS can't find a driver to know how to interpret the controller. Same deal with video cards or processor architecture classes. No matter what your platform or hardware, if the OS doesn't know how to properly access the hardware, you're dead in the water.
Paris, because so many people are clueless and hop on a bandwagon without really knowing anything.
Sponsored: Benefits from the lessons learned in HPC