r...@gsp.org (Rich Kulawiec) writes: > ... > This should be burned into the brain of everyone working in security: > > If someone else can run arbitrary code on your computer, > it's not YOUR computer any more. > > And allowing computers known-owned by the enemy to operate on > one's network is off-the-scale stupid. > ...
on a whiteboard, this is provably true, and is the only reasonable conclusion. off the whiteboard, no ISP can afford to take this position and no online retailer can afford to take this position and so the security industry (by which i include the regulators) can afford to take this position. you're shining a bright light on the tip of a very large can of worms here. so many millions of hosts are compromised in the way you say, that anyone who refused commerce or service to same would see a notable dent in their traffic volume. every windows machine is infected by something at some time, and the various defenseware solutions aren't usually 100% effective at removing all traces and/or keeping the same thing or a similar thing from coming back or reactivating. hotmail and gmail can't even afford to reject e-mail coming from known-compromised machines, since their own users would complain. so they do expensive halfmeasures like greylisting for a few hours or days and hope that some kind of remediation takes place, which generally does not take place. amazon and ebay and paypal can't afford to reject commerce from known-infected machines, because too many legitimate transactions from real users of known-infected machines would be prevented, and anyone who leaves 3% or 5% of their potential revenue on the table inevitably gets bought or put out of business by those who do not. malware has penetrated not just the skin, but the bones and DNA of the internet economy. it's everywhere and it's not going away ever. there will always be something infected, and in a race to the bottom there will always be competitors willing to serve those infected machines, and there will never be a regulator willing to say "don't anybody serve them, so that there's no competitive disadvantage in the not-serving." the scourge of human nature will be with us always. if humanity some day reaches the stars, we will bring our spammers with us, and re-fight old battles with them then and there. -- Paul Vixie KI6YSY _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.