Re: Spyware becomes increasingly malicious
On Wed, Jul 14, 2004, Michel Py wrote: - In exchange for his life, appoint Saddam Hussein to rid us of spyware writers. As he's on a roll, let's put spammers in the deal, too. The guy has a proven track record, problem is most of us live in a society that oppose his methods, so this does not fly. Can we call Godwin out on this comment? Guys, girls, etc. This whole MacOS is based on BSD which has been looked at for years discussion is actaully quite silly. Why? Because the majority of the code in MacOS X which would be abused is not going to be BSD based. A bug in cat? tar? sed? No. It'll be a bug in Mail.app, how it ties into the Helper app, possibly Finder.app and Applescript. It'll be some image overflow in Safari, via Khtml and Aqua's rendering engine. It'll be something that Is Very Not Going To Ever Have Been A Part of What You Call BSD. So, I call crapola on that argument, and invoke a Godwin-for-21st-century based on the above comment. Lets move on. Adrian -- Adrian ChaddI'm only a fanboy if [EMAIL PROTECTED] I emailed Wesley Crusher.
Re: Spyware becomes increasingly malicious (let's return to reality)
Ok, let.s return to reality (sorry for moving this thread into the OS related flame). First of all, even if OS have not any caveats, it will not protect it from spyware/adware. if I want to install my 'Cool-Search' into million of computers, all I need to do is to write fancy game, and offer it 'free of change' in exchange of 'Allow to show you ads once / day'. That's all - you will have everything installed explicitly. But 'hidden' installation makes it much more easy for spyware, and is (in general) a very big evil. System must distinguish between 'USER' mode (use applications but do not change system behavior) and 'INSTALL' mode (install/delete/add software, processes and so on). In many cases, system must ask password to do any such action. (If you know MS, you can image which nightmare is to implement it -- I worked with IDS such as Osiris and had a fun, guessing what system decide to change today. But it is not a problem in most other OS). Second, but even worst, problem is absense of ANY system interface showing you, what is starting, stopping and running. It is not any problem to remove spyware, from common point of view - just open 'list of running processes' and 'Startup list' and uncheck everything you do not want to see. Problem - such interface does not exist, is not possible because of complexity (there are milluions ways of starting anything) and can not trace a history of processes (because of, again, extra complexity, unlimited usage of 'classes' and 'objects' and 'pluginns' and 'toolbars' and so on). Anyway, good 'change history' system could easily revert such changes back so that instead of very complex 'adaware' scaners we will have just 'change history, revert ?' button. Third is more easy for ISP - if we can not fight with bad software, fight whith those who got a profit using it. For SPAM - ok, there is not ANY way to stop sending spam (fort now), but any SPAM advertices someone, and this someone is always 100% identified - so fight (limit, flood by calls, overload by false information, etc) SPAM benefitiants, learn them do not purchase 'We will send your advertice to 10M people over the world'. The same in case of adaware. For spyware, fight those who receive information back - by any way. - Original Message - From: John Underhill [EMAIL PROTECTED] To: Niels Bakker [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Wednesday, July 14, 2004 1:12 PM Subject: Re: Spyware becomes increasingly malicious Ok.. but has BSD been attacked on the scale that MS code has? I would argue no, not even close. Do you believe BSD is invulnerable to attack? Hardly.. Unless you want to go back to text based browsers and kernals that fit on a floppy, it is extermely difficult to eliminate all vulnerabilities in the code of a sophisticated OS. The more complex the system, the easier it is to break, and with the level of automation currently expected by most users, this requires a very complex build. Could MS be made more secure, of course. Do I think they are actively working on the problem, yes. If Novell or Mac had risen to the top of the OS heap, would they be catching all the viruses now? I think they would. Really, my point was not to argue this, but that there is no justification for malicious code, that you can't simply pawn it off on MS as being the real problem. By doing that, you are saying that people creating spyware and viruses are not culpable for their actions, that they should be allowed to create havoc and destroy systems, because really they are only leveraging 'features' built into the operating system. - Original Message - From: Niels Bakker [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, July 14, 2004 3:31 PM Subject: Re: Spyware becomes increasingly malicious Sorry, it was a _technical_ question - is MAC OS known as having pests and ad-ware in the comparable numbers (if any)? * [EMAIL PROTECTED] (John Underhill) [Wed 14 Jul 2004, 19:45 CEST]: This is spurious logic. You are suggesting that Mac is a more secure operating system, and I would suggest that it is probably far less secure, because it has not had to withstand years of unearthing vulnerabilities in the code. It has. Darwin is based on years of development in BSD code. -- Niels. -- Today's subliminal thought is:
working sltnet.lk contact
Hi! I'm looking for a working sltnet.lk contact. Please contact me off-list. Thanks! Tycho -- Tycho Eggen (Unix|Network) Engineer I wouldn't recommend sex, drugs or insanity for everyone, but they've always worked for me. - Hunter S. Thompson ( Fear Loathing in Las Vegas ) pgp2LcbsohNMG.pgp Description: PGP signature
Regional differences in P2P
Apparently CacheLogic based most of their conclusions on data collected from a European tier 1 ISP. However, another study by Sandvine found regional differences in file sharing networks. Europe and the US don't have the same file sharing patterns, or even popular file sharing programs. http://www.sandvine.com/solutions/pdfs/Euro_Filesharing_DiffUnique.pdf Of course, there is always CAIDA's data. Peer-to-peer analysis is on their long range plans. http://www.caida.org/projects/progplan/progplan03.xml
Re: Crackdowns don't slow Internet piracy
On Wed, Jul 14, 2004 at 10:27:01PM -0700, Michel Py wrote: That's what I meant, thanks for rephrasing. $10M a year is definitely something that any size company will try to save; I remember posting here not that long ago that a $500k line card is definitely something I do not buy without a good reason. *Gasp* You mean ISPs are finding that their customers actually want to use the service they're paying for? I'm shocked and appalled! Next thing you know, someone will be saying that customers are actually signing up for high speed Internet service specifically because they want to use it to transfer things. How can we stop this travesty, as quickly as possible? Folks spend all this time whining about the need for the killer app to create more demand for the service, then when it finally comes along they whine about how hard it is to support the service with people actually using it. You can't have it both ways. -- Richard A Steenbergen [EMAIL PROTECTED] http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)
Re: Regional differences in P2P
On Jul 15, 2004, at 5:25 AM, Mikael Abrahamsson wrote: On Thu, 15 Jul 2004, Sean Donelan wrote: Apparently CacheLogic based most of their conclusions on data collected from a European tier 1 ISP. However, another study by Sandvine found regional differences in file sharing networks. Europe and the US don't have the same file sharing patterns, or even popular file sharing programs. I would also like to add that over here Direct Connect is quite common among the more organized and hard-core file swappers, while the really-hardcore guys of course are still using private ftp servers. With proliferation of 10 meg ethernet (full duplex) connections for residential use in (especially) northern europe and in asia, users are more likely to serve content to other users around the world. I have made some studies regarding the bandwidth usage pattern between equal size populations where the difference is if they have ADSL 8M/800k or if they have 10M/10M. The amount of data served is 1/3rd on ADSL compared to the symmetric ethernet population, and as a population they serve out more content than they download (approx twice the amount) on ethernet. The ADSL population peak at approx twice the bw as they serve, but on average they serve a little less than they download. Hmm, the above wasn't very clear, but here it goes in another format: Ethernet: Peak almost twice upload as download. Average is 2.5-3 times more upload than download. ADSL 8M/800k: Peak twice the amount download as upload Average is 1.3-1.5 more download than upload Upload bw usage is almost flat over time Download bw peak is approx double the average level. My interpretation of this is that p2p networks are quite intelligent in using the available bandwidth, and that Copyright holders only solution is a content crunch due to providers limiting their users upload potential due to heavy usage, such as capping the amount of bandwidth allowed per month or alike. Let's hope that their users don't try to do things like videoconferencing from home. (Like I do.) -- Mikael Abrahamssonemail: [EMAIL PROTECTED] Regards Marshall Eubanks T.M. Eubanks e-mail : [EMAIL PROTECTED] http://www.telesuite.com
Re: Regional differences in P2P
On Thu, 15 Jul 2004, Marshall Eubanks wrote: Let's hope that their users don't try to do things like videoconferencing from home. (Like I do.) Have you calculated the amount of BW you use with your video conferencing? The usage of savvy p2p-using households can be in the hundreds of gigabytes/month which I doubt you'll get with your videoconferencing? 100 kilobits/s over a month is approx 35 gigabytes. -- Mikael Abrahamssonemail: [EMAIL PROTECTED]
Re: Regional differences in P2P
Sean Donelan wrote: Apparently CacheLogic based most of their conclusions on data collected from a European tier 1 ISP. However, another study by Sandvine found regional differences in file sharing networks. Europe and the US don't have the same file sharing patterns, or even popular file sharing programs. http://www.sandvine.com/solutions/pdfs/Euro_Filesharing_DiffUnique.pdf If you leave BitTorrent out, which is probably the fastest growing protocol out there, the statistics are missing about one third of the bits moved. Pete
Re: Spyware becomes increasingly malicious
** Reply to message from Alexei Roudnev [EMAIL PROTECTED] on Wed, 14 Jul 2004 22:52:07 -0700 May be, idea was that people read 'license', click button (I agree) and follow it - never write a code which violates this license? But it is not true - 99.99% people do not read it and behave as a common sense is saying not as [EMAIL PROTECTED] MS lawers fictioned... They see a wall wih a gates - and they go thru this gates, no matter what is written on the posters around (except, as I said, if they see an angry dog next to the gate). /On the other hand, they knows that coffee is hot and waterfall is dangerous and dogs can bite -:)/. You must design yous system for this behavior, not for people who _read a license_. This licenses are good only for 2 goals - (1) use them as a toalet tissue; (2) in case of serious violation allows to suite user if he is in USA... -- they do not change people behavior even a bit. Unfortunately, Internet is not in USA, so even if we will have 100 strict laws prohibiting spyware, it will not help to fight this pests and pets... System must defend itself. For awhile there, one of the top tech support issues we had to deal with was new - and automatically implemented - feature in Outlook Express that blocked a person from running or saving something that Microsoft considered a dangerous file attachment. Such dangerous file attachments included .jpg, .pdf and music files. Oddly enough, it didn't seem to include .doc or .xls files. You know, the ones that actually can contain macro viruses. Because of Microsoft's ham-handed and all or nothing attempt at security many people now don't trust or ignore any warning messages they may receive - they simply want to view their file attachments. -- Jeff Shultz A railfan pulls up to a RR crossing hoping that there will be a train.
Re: working sltnet.lk contact
Today at 08:57 (+0200), Tycho Eggen wrote: Date: Thu, 15 Jul 2004 08:57:45 +0200 From: Tycho Eggen [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: working sltnet.lk contact Hi! I'm looking for a working sltnet.lk contact. Let me guess the weeks and weeks of Netsky messages have finally gotten to you? Coincidentally, I, myself, just shot off a note to the POC listed in the APNIC whois... I'll take it you got no response from [EMAIL PROTECTED] Judging from the To:/From: addresses and the bounced addresses I've received, I'm guessing that the infected SriLankan DSL customer might subscribe to NANOG. Hey, if you're listening clean your host! Pretty please. - Christopher ==
Re: Spyware becomes increasingly malicious (let's return to reality)
- First of all, even if OS have not any caveats, it will not protect it from spyware/adware. if I want to install my 'Cool-Search' into million of computers, all I need to do is to write fancy game, and offer it 'free of change' in exchange of 'Allow to show you ads once / day'. That's all - you will have everything installed explicitly. - Not necessarily true. Security/permissions plays a major part in the effectiveness of adware and spyware. A majority of consumer Windows OS's run with the default login as an admin user. When a user chooses to install Cool-Search, their user rights allow for registry changes and alterations of system libraries, which cause ads to display when using IE. Can this be prevented by running Windows as a non-privileged user, yes. But people want to install their Cool-Search and non-privileged users can't install anything. When using OS's other than Windows, users can install their own binaries, but they do not have access to modify the system binaries. Then can still browse with the system wide Mozilla/whatever, but their actions will not have the ability to alter anything that will allow for ads to be served when browsing, or for browsing habits to be sent to a third party. User information is still vulnerable, and the potential is still there, but a single user's infection/installation will generally not have the same impact on the system. -b On Wed, 14 Jul 2004 23:52:27 -0700, Alexei Roudnev [EMAIL PROTECTED] wrote: Ok, let.s return to reality (sorry for moving this thread into the OS related flame). First of all, even if OS have not any caveats, it will not protect it from spyware/adware. if I want to install my 'Cool-Search' into million of computers, all I need to do is to write fancy game, and offer it 'free of change' in exchange of 'Allow to show you ads once / day'. That's all - you will have everything installed explicitly. But 'hidden' installation makes it much more easy for spyware, and is (in general) a very big evil. System must distinguish between 'USER' mode (use applications but do not change system behavior) and 'INSTALL' mode (install/delete/add software, processes and so on). In many cases, system must ask password to do any such action. (If you know MS, you can image which nightmare is to implement it -- I worked with IDS such as Osiris and had a fun, guessing what system decide to change today. But it is not a problem in most other OS). Second, but even worst, problem is absense of ANY system interface showing you, what is starting, stopping and running. It is not any problem to remove spyware, from common point of view - just open 'list of running processes' and 'Startup list' and uncheck everything you do not want to see. Problem - such interface does not exist, is not possible because of complexity (there are milluions ways of starting anything) and can not trace a history of processes (because of, again, extra complexity, unlimited usage of 'classes' and 'objects' and 'pluginns' and 'toolbars' and so on). Anyway, good 'change history' system could easily revert such changes back so that instead of very complex 'adaware' scaners we will have just 'change history, revert ?' button. Third is more easy for ISP - if we can not fight with bad software, fight whith those who got a profit using it. For SPAM - ok, there is not ANY way to stop sending spam (fort now), but any SPAM advertices someone, and this someone is always 100% identified - so fight (limit, flood by calls, overload by false information, etc) SPAM benefitiants, learn them do not purchase 'We will send your advertice to 10M people over the world'. The same in case of adaware. For spyware, fight those who receive information back - by any way. - Original Message - From: John Underhill [EMAIL PROTECTED] To: Niels Bakker [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Wednesday, July 14, 2004 1:12 PM Subject: Re: Spyware becomes increasingly malicious Ok.. but has BSD been attacked on the scale that MS code has? I would argue no, not even close. Do you believe BSD is invulnerable to attack? Hardly.. Unless you want to go back to text based browsers and kernals that fit on a floppy, it is extermely difficult to eliminate all vulnerabilities in the code of a sophisticated OS. The more complex the system, the easier it is to break, and with the level of automation currently expected by most users, this requires a very complex build. Could MS be made more secure, of course. Do I think they are actively working on the problem, yes. If Novell or Mac had risen to the top of the OS heap, would they be catching all the viruses now? I think they would. Really, my point was not to argue this, but that there is no justification for malicious code, that you can't simply pawn it off on MS as being the real problem. By doing that, you are saying that people creating spyware and viruses are not
Re: Spyware becomes increasingly malicious (let's return to reality)
The problem is Active-X, not the OS. Anything running from the browser should be in a sandbox as it is with Java applications, the same is true for the email client. Active-X gives scripts running from the browser and the email client access to the entire machine in the name of functionality. In some cases users are prompte to authorize the installation of software when they get to a web page. Even when they choose No, the software continues to install. Its a security hole big enough to drive a tank through. Mozilla is your friend. Curtis -- Curtis Maurand mailto:[EMAIL PROTECTED] http://www.maurand.com On Thu, 15 Jul 2004, Brett wrote: - First of all, even if OS have not any caveats, it will not protect it from spyware/adware. if I want to install my 'Cool-Search' into million of computers, all I need to do is to write fancy game, and offer it 'free of change' in exchange of 'Allow to show you ads once / day'. That's all - you will have everything installed explicitly. - Not necessarily true. Security/permissions plays a major part in the effectiveness of adware and spyware. A majority of consumer Windows OS's run with the default login as an admin user. When a user chooses to install Cool-Search, their user rights allow for registry changes and alterations of system libraries, which cause ads to display when using IE. Can this be prevented by running Windows as a non-privileged user, yes. But people want to install their Cool-Search and non-privileged users can't install anything. When using OS's other than Windows, users can install their own binaries, but they do not have access to modify the system binaries. Then can still browse with the system wide Mozilla/whatever, but their actions will not have the ability to alter anything that will allow for ads to be served when browsing, or for browsing habits to be sent to a third party. User information is still vulnerable, and the potential is still there, but a single user's infection/installation will generally not have the same impact on the system. -b On Wed, 14 Jul 2004 23:52:27 -0700, Alexei Roudnev [EMAIL PROTECTED] wrote: Ok, let.s return to reality (sorry for moving this thread into the OS related flame). First of all, even if OS have not any caveats, it will not protect it from spyware/adware. if I want to install my 'Cool-Search' into million of computers, all I need to do is to write fancy game, and offer it 'free of change' in exchange of 'Allow to show you ads once / day'. That's all - you will have everything installed explicitly. But 'hidden' installation makes it much more easy for spyware, and is (in general) a very big evil. System must distinguish between 'USER' mode (use applications but do not change system behavior) and 'INSTALL' mode (install/delete/add software, processes and so on). In many cases, system must ask password to do any such action. (If you know MS, you can image which nightmare is to implement it -- I worked with IDS such as Osiris and had a fun, guessing what system decide to change today. But it is not a problem in most other OS). Second, but even worst, problem is absense of ANY system interface showing you, what is starting, stopping and running. It is not any problem to remove spyware, from common point of view - just open 'list of running processes' and 'Startup list' and uncheck everything you do not want to see. Problem - such interface does not exist, is not possible because of complexity (there are milluions ways of starting anything) and can not trace a history of processes (because of, again, extra complexity, unlimited usage of 'classes' and 'objects' and 'pluginns' and 'toolbars' and so on). Anyway, good 'change history' system could easily revert such changes back so that instead of very complex 'adaware' scaners we will have just 'change history, revert ?' button. Third is more easy for ISP - if we can not fight with bad software, fight whith those who got a profit using it. For SPAM - ok, there is not ANY way to stop sending spam (fort now), but any SPAM advertices someone, and this someone is always 100% identified - so fight (limit, flood by calls, overload by false information, etc) SPAM benefitiants, learn them do not purchase 'We will send your advertice to 10M people over the world'. The same in case of adaware. For spyware, fight those who receive information back - by any way. - Original Message - From: John Underhill [EMAIL PROTECTED] To: Niels Bakker [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Wednesday, July 14, 2004 1:12 PM Subject: Re: Spyware becomes increasingly malicious Ok.. but has BSD been attacked on the scale that MS code has? I would argue no, not even close. Do you believe BSD is invulnerable to attack? Hardly.. Unless you want to go back to text based browsers and kernals that fit on a floppy, it is extermely difficult to eliminate all vulnerabilities in the code of a sophisticated OS. The more complex the system, the easier it is to break,
ppt file for US-Sprint Optical Internet Design?
hi all: does anyone here have ppt file for Peter Lothberg's US-Sprint Optical Internet Design? tia dave_au Find local movie times and trailers on Yahoo! Movies. http://au.movies.yahoo.com
BGP Dampening question
I was needing to know if anyone could assist in helping me find a solution to a problem I am experiencing. Here is the scenario: I have an AS 20, that has 2 circuits one to city A, and one to City B. City A and City B are in another AS, lets say AS 1. In my AS 20, I am learning the default route via EBGP, from City A,through my primary link, and also have a static route configured to traverse my secondary link, to City B. If I keep seeing the physical connection to City A flapping, of course bgp will flap, but will I be able to use route dampening to control the instability in AS 20? Will I be able to tweak route dampening to where I will be able to just use the secondary for say a set time, before it will try to use the primary link, even if this connection is continuously flapping? I am hoping that I will be able to tweak dampening to where it will just use my secondary link, until I can fix my primary link, w/o having to manually shut the interface, or shut bgp? I apologize if this is a bit off topic... TIA, D- Do you Yahoo!? Yahoo! Mail - 50x more storage than other providers!
Controls are ineffective without user cooperation
Donn S. Parker pointed out controls are ineffective without user cooperation. According to an ATT sponsored survey, 78% of executives admitted to opening attachments from unknown senders in the last year, 29% used their own name or birthday as a secure password, 17% accessed the company network in a public place and didn't log out, 9% informally shared a network password with someone outside of the company. http://www.att.com/news/item/0,1847,13137,00.html The survey included relatively few people, 254 executives from Europe, North America ans Asia-Pacific regions.
Re: Controls are ineffective without user cooperation
Tell them that every time they click on that thing, it costs $1000 to disinfect the LAN and keep the firewall up to date. Caveat: have yet to actually try this approach, but seems like it would have a chance at least. +- + Dave Dennis + Seattle, WA + [EMAIL PROTECTED] + http://www.dmdennis.com +- On Fri, 16 Jul 2004, Christopher L. Morrow wrote: On Fri, 16 Jul 2004, Sean Donelan wrote: Donn S. Parker pointed out controls are ineffective without user cooperation. According to an ATT sponsored survey, 78% of executives admitted to opening attachments from unknown senders in the last year, 29% used their own name or birthday as a secure password, 17% accessed the company network in a public place and didn't log out, 9% informally shared a network password with someone outside of the company. surprised? if you don't teach the baby the consequences then they continue to behave badly. I suppose it IS a little bit tough to tell the executive: Bad Exec!! NO COOKIE!!! or the equivalent in execu-speak :( http://www.att.com/news/item/0,1847,13137,00.html The survey included relatively few people, 254 executives from Europe, North America ans Asia-Pacific regions.
Re: BGP Dampening question
On Jul 15, 2004, at 11:46 PM, D Train wrote: I was needing to know if anyone could assist in helping me find a solution to a problem I am experiencing. Here is the scenario: I have an AS 20, that has 2 circuits one to city A, and one to City B. City A and City B are in another AS, lets say AS 1. In my AS 20, I am learning the default route via EBGP, from City A,through my primary link, and also have a static route configured to traverse my secondary link, to City B. If I keep seeing the physical connection to City A flapping, of course bgp will flap, but will I be able to use route dampening to control the instability in AS 20? Will I be able to tweak route dampening to where I will be able to just use the secondary for say a set time, before it will try to use the primary link, even if this connection is continuously flapping? I am hoping that I will be able to tweak dampening to where it will just use my secondary link, until I can fix my primary link, w/o having to manually shut the interface, or shut bgp? I apologize if this is a bit off topic... First, this is about the most on-topic post I've seen in a while. Second, yes, you can do what you want with flap dampening. Your router will penalize the announcements from A for every time it flaps, and will wait until it has stopped flapping for a user definable time before sending packets to A again. That said, I would not use flap dampening for this. If A is flapping THAT much, time to get another provider, or another local loop. If it only flaps occasionally, not a big deal, the routers will handle it. Besides, since you only have connectivity to one AS, there is really no need for you to announce to the global table at all. Just use a private AS to get the routes and have the other AS originate your CIDR from their AS. You can still get the default route, still static to the backup link. If the circuit to A flaps, routing will converge quickly. You can tweak the timers to do it very quickly, since no one else is listening. In fact, you do not even need BGP. This set up is simple enough to use anything else - even RIP. (I'm serious - this is a trivial routing exercise, so one could even argue the most brain-dead protocol is best suited for it.) -- TTFN, patrick
RE: Regional differences in P2P
On Thu, 15 Jul 2004, Michel Py wrote: I agree, but see above: a 40GB/mo cap is not something that I care about. Granted, I'm not a hardcore file swapper but 40GB/mo are more I don't know of any capped service over here, nobody dares take the first step. The largest 10meg provider here launched a new 100 meg full duplex service for their approx 200.000 household reach at USD$110 a month with a 300G cap (their 10 meg service for $45 a month is uncapped) and there has been a fair amount of users complaining about 300G not being nearly enough. When you start swapping DVDRs it just isn't. If they capped their 10M service I believe there would be a riot. I know a few smaller providers who use netflow or alike to find their very high-bw consuming customers and then put them into a ratelimit access list and limit their outgoing traffic. This is probably the best way to go, instead of capping you limit their speed. It requires that you have hardware that'll do this, which can be hard for larger ISPs. Smaller ones have an easier time finding scalable solutions. -- Mikael Abrahamssonemail: [EMAIL PROTECTED]
Re: Controls are ineffective without user cooperation
On Thu, 15 Jul 2004, Dave Dennis wrote: Tell them that every time they click on that thing, it costs $1000 to disinfect the LAN and keep the firewall up to date. Sean quoted some numbers sometime ago for 'average cost of virus outbreak per enterprise' I don't recall the specifics, but they were staggeringly high... On a whim/notecard lets try this: 1) enterprise network with 10,000 user systems (we'll assume no 'servers' got/get infected in this ficticous dreamland of an example) 2) 1 user clicks attachment and gets pick your flavor of email trojan/virus which spreads to 50% of the user PC's before action is started to clean them. 3) assume a 'large' infosec/helpdesk group: 20 people 4) assume average cost per sec/help employee at 100,000/yr (including benefits+OT for this incident) 5) assume all other sec/help work stops to stem the virus flow 6) assume it takes 1 day (complete 14 hour day) to cleanse the bad machines (5k machines, which is 5000/20/14 = 17.8machines/person/hour or 3.3 mins to clean each machine and move to next machine... 'lightening fast staff'!) 7) So for 1 day we tied up 20 people for 14 hours: 10/1880*8*20 + 10/1880*6*20*2 = $21276.60 That accounts ONLY for the sec/help people to do their 14 hours/person of work (assuming 2xnormal OT rate, count that out and its still: $14893.62) No, keep in mind that during this 14 hours the following other things did NOT happen: 1) 5000 people doing their normal job due to their PC being dead 2) 20 sec/help people NOT doing their normal work 3) 1 exec still happily playing solitaire... These calculations are 'back of the irc-bot' calculations, and do leave some things out... for instance server outages due to virus infections, service outages due to network outages, lost revenue due to service outages or lack of capacity to manage customer requests/complaints/orders/blah... These events are highly costly, no matter how many times we make this arguement it's not clear that anyone that should be listening IS listening. Often the resulting response is: Well, buy more/better virus protection software! (from the same clicker-of-attachments) or Shouldn't our AV have caught this? AV is but one part of the equation, user education and consequences are some of the other part(s). Caveat: have yet to actually try this approach, but seems like it would have a chance at least. you'd sure think it would, sadly it doesn't seem to...