Comments for StopBadware Blog http://blog.stopbadware.org Wed, 22 Feb 2012 19:27:02 +0000 hourly 1 http://wordpress.org/?v=3.2.1 Comment on Joint StopBadware-Commtouch report explores site compromise from the owner’s perspective by jocuri cu biciclete http://blog.stopbadware.org/2012/02/22/site-compromise-from-owners-perspective/#comment-428 jocuri cu biciclete Wed, 22 Feb 2012 19:27:02 +0000 http://blog.stopbadware.org/?p=550#comment-428 Nice write, your articles is good! Keep working ... Nice write, your articles is good! Keep working …

]]> Comment on Bridging the awareness gap: the need for better communications in the anti-malware space (Part 1) by KOREA BLOG ARCHIVE » Bridging the awareness gap: the need for better communications in the anti-malware space (Part 2) http://blog.stopbadware.org/2012/01/23/bridging-the-awareness-gap-the-need-for-better-communications-in-the-anti-malware-space-part-1/#comment-400 KOREA BLOG ARCHIVE » Bridging the awareness gap: the need for better communications in the anti-malware space (Part 2) Sun, 29 Jan 2012 15:52:56 +0000 http://blog.stopbadware.org/?p=497#comment-400 [...] This is the second half of a two-part blog post. For exposition, see “Bridging the awareness gap: the need for better communications in the anti-malware space (Part 1).” [...] [...] This is the second half of a two-part blog post. For exposition, see “Bridging the awareness gap: the need for better communications in the anti-malware space (Part 1).” [...]

]]> Comment on State of the Net 2012: It’s SOPA, But Not Just SOPA by Jacob lane http://blog.stopbadware.org/2012/01/19/sotn-2012-not-just-sopa/#comment-393 Jacob lane Fri, 27 Jan 2012 08:47:58 +0000 http://blog.stopbadware.org/?p=491#comment-393 What does s.o.p.a.stand for???? What are black list??? When u get a warning sign.....is it safe to download??an wat kinda information do these web sites get off me? ? What does s.o.p.a.stand for????
What are black list???
When u get a warning sign…..is it safe to download??an wat kinda information do these web sites get off me? ?

]]> Comment on Bridging the awareness gap: the need for better communications in the anti-malware space (Part 1) by Sandi Hardmeier http://blog.stopbadware.org/2012/01/23/bridging-the-awareness-gap-the-need-for-better-communications-in-the-anti-malware-space-part-1/#comment-385 Sandi Hardmeier Tue, 24 Jan 2012 23:45:04 +0000 http://blog.stopbadware.org/?p=497#comment-385 One thing immediately comes to mind when I read the good doctor's statement that "Yes, 20 lines of malicious code had indeed been inserted into a configuration file on my main website, but that code forwarded people to a dangerous site in India ONLY if they came to that site via Google or other search engines" as an argument against Google's actions. His statement is an erroneous argument against the blocking, or against targeted blocking, because **what if that behaviour was changed**? When a site is compromised, there can be no guarantee that a malicious behaviour won't suddenly change or worsen. I also note from the original article on the New York Times that the doctor's "Web Host" apparently "could not find any evidence of malware but reset his site's configuration anyway", and the doctor trusted that advice. It seems to me that the "Web Host" also has a responsibility to improve it's processes. The very fact that the alert existed should have been enough to persuade them that something was in fact wrong, and that if they couldn't find it, that they needed to call somebody in who could. One thing immediately comes to mind when I read the good doctor’s statement that “Yes, 20 lines of malicious code had indeed been inserted into a configuration file on my main website, but that code forwarded people to a dangerous site in India ONLY if they came to that site via Google or other search engines” as an argument against Google’s actions. His statement is an erroneous argument against the blocking, or against targeted blocking, because **what if that behaviour was changed**? When a site is compromised, there can be no guarantee that a malicious behaviour won’t suddenly change or worsen. I also note from the original article on the New York Times that the doctor’s “Web Host” apparently “could not find any evidence of malware but reset his site’s configuration anyway”, and the doctor trusted that advice. It seems to me that the “Web Host” also has a responsibility to improve it’s processes. The very fact that the alert existed should have been enough to persuade them that something was in fact wrong, and that if they couldn’t find it, that they needed to call somebody in who could.

]]> Comment on Bridging the awareness gap: the need for better communications in the anti-malware space (Part 1) by ccondon http://blog.stopbadware.org/2012/01/23/bridging-the-awareness-gap-the-need-for-better-communications-in-the-anti-malware-space-part-1/#comment-383 ccondon Tue, 24 Jan 2012 18:56:25 +0000 http://blog.stopbadware.org/?p=497#comment-383 Dr. Epstein, First of all, thanks so much for replying. Conversation like this is really valuable to us. The second part of this post (see http://blog.stopbadware.org/2012/01/24/bridging-the-awareness-gap-the-need-for-better-communications-in-the-anti-malware-space-part-2/) lists some ways the security industry at large could improve communications to clarify what's going on when legitimate sites like yours are compromised. One thing I didn't discuss in that post—and probably should have—was something we've heard quite frequently from security companies recently: it's difficult, sometimes to the point of impossibility, for webmasters to reproduce the problem. In fact, it's often difficult for even security companies to reproduce malicious behavior after it's been detected. It sounds like you definitely grappled quite a bit with that, and understandably so. It seems like the other major part of the issue here was that you wished Google had tailored their approach more, so you could mitigate the damage to your reputation and your business. Google is both our partner and one of our data providers, and we'll happily pass this information along to our contacts on their Safe Browsing team. For the record, the "Attack site" warnings aren't actually Google's. Those warnings are issued by Mozilla as part of the built-in protection in Firefox. The connection is that Firefox, like several other companies, uses Google's Safe Browsing API to warn users about malicious or compromised sites. So when you were seeing the warning, it was Google who was blacklisting your site (as you know), but the warning itself was created and issued by the Firefox browser. (I talk about this lack of clear ownership in Part 2 of the blog post.) Great point on the "Attack site" wording—there is a difference between an actual "attack" site and a legitimate, compromised site. Mozilla is also a partner of ours, and again, we're more than happy to pass your feedback along. Thank you, once again, for your clarification on what happened. I'm sorry you had to deal with a site hack—as an organization, we're sorry <em>anyone</em> has to deal with a site hack—but I'm certainly glad that your story might be able to shine some light on the parts of this process that are sorely in need of clarification and improvement. —Caitlin, StopBadware Dr. Epstein,

First of all, thanks so much for replying. Conversation like this is really valuable to us. The second part of this post (see http://blog.stopbadware.org/2012/01/24/bridging-the-awareness-gap-the-need-for-better-communications-in-the-anti-malware-space-part-2/) lists some ways the security industry at large could improve communications to clarify what’s going on when legitimate sites like yours are compromised. One thing I didn’t discuss in that post—and probably should have—was something we’ve heard quite frequently from security companies recently: it’s difficult, sometimes to the point of impossibility, for webmasters to reproduce the problem. In fact, it’s often difficult for even security companies to reproduce malicious behavior after it’s been detected. It sounds like you definitely grappled quite a bit with that, and understandably so. It seems like the other major part of the issue here was that you wished Google had tailored their approach more, so you could mitigate the damage to your reputation and your business. Google is both our partner and one of our data providers, and we’ll happily pass this information along to our contacts on their Safe Browsing team.

For the record, the “Attack site” warnings aren’t actually Google’s. Those warnings are issued by Mozilla as part of the built-in protection in Firefox. The connection is that Firefox, like several other companies, uses Google’s Safe Browsing API to warn users about malicious or compromised sites. So when you were seeing the warning, it was Google who was blacklisting your site (as you know), but the warning itself was created and issued by the Firefox browser. (I talk about this lack of clear ownership in Part 2 of the blog post.) Great point on the “Attack site” wording—there is a difference between an actual “attack” site and a legitimate, compromised site. Mozilla is also a partner of ours, and again, we’re more than happy to pass your feedback along.

Thank you, once again, for your clarification on what happened. I’m sorry you had to deal with a site hack—as an organization, we’re sorry anyone has to deal with a site hack—but I’m certainly glad that your story might be able to shine some light on the parts of this process that are sorely in need of clarification and improvement.

—Caitlin, StopBadware

]]> Comment on Bridging the awareness gap: the need for better communications in the anti-malware space (Part 1) by Dr. Robert Epstein http://blog.stopbadware.org/2012/01/23/bridging-the-awareness-gap-the-need-for-better-communications-in-the-anti-malware-space-part-1/#comment-382 Dr. Robert Epstein Tue, 24 Jan 2012 18:25:39 +0000 http://blog.stopbadware.org/?p=497#comment-382 Your characterization of this problem is only partially correct. Yes, 20 lines of malicious code had indeed been inserted into a configuration file on my main website, but that code forwarded people to a dangerous site in India ONLY if they came to that site via Google or other search engines. No one was ever in jeopardy if they went directly to any of my more than 20 URLs, if they went to those URLs via links in other websites, or if they were simply downloading material from my websites using established links. The reason I demanded that Google back off was because my colleagues and I were unable to replicate the danger Google was reporting - because, of course, we were always accessing my websites directly. Google erred in this situation in at least six different ways: (1) It blacklisted all of my websites, even when people were trying to access them directly; they did this through the Google software embedded in most browsers. (2) Google's webmaster tools were useless in this situation. They always reported my URLs to be clean because they, too, were accessing those links directly! (3) The only links that Google's webmaster tools reported as dangerous were NON-EXISTENT PAGES on my main website. (4) The Google company was unresponsive to my many attempts to contact people there. Any messages I received were unsigned and simply referred me back to the webmaster tools, which, without exception, continued to produce useless and misleading information. (5) When we finally found and deleted the malicious code on January 6th, it took Google's crawler at additional 30 HOURS to clear my main websites. (6) And it took an additional THREE DAYS for Google to clear http://DrEpstein.com, which is just a forwarding link to http://DrRobertEpstein.com (where the content is). All in all, access to my websites was restricted by Google for more than 10 days. The fact that Google announced to people around the world that my sites were "attack sites" is also problematic. There's a big difference between an "attack site" and a site that has been hacked so that it forwards people to another site. Given the nature of the actual threat in this situation, all Google needed to do to protect the public was to post a notice on its search results saying: "WARNING: Do not access this website by clicking on our link! Simply COPY AND PASTE that link into your browser window. Clicking on OUR link may harm your computer!" What Google actually did was inconsistent with the nature of the danger. Sincerely, /re Your characterization of this problem is only partially correct. Yes, 20 lines of malicious code had indeed been inserted into a configuration file on my main website, but that code forwarded people to a dangerous site in India ONLY if they came to that site via Google or other search engines. No one was ever in jeopardy if they went directly to any of my more than 20 URLs, if they went to those URLs via links in other websites, or if they were simply downloading material from my websites using established links. The reason I demanded that Google back off was because my colleagues and I were unable to replicate the danger Google was reporting – because, of course, we were always accessing my websites directly. Google erred in this situation in at least six different ways: (1) It blacklisted all of my websites, even when people were trying to access them directly; they did this through the Google software embedded in most browsers. (2) Google’s webmaster tools were useless in this situation. They always reported my URLs to be clean because they, too, were accessing those links directly! (3) The only links that Google’s webmaster tools reported as dangerous were NON-EXISTENT PAGES on my main website. (4) The Google company was unresponsive to my many attempts to contact people there. Any messages I received were unsigned and simply referred me back to the webmaster tools, which, without exception, continued to produce useless and misleading information. (5) When we finally found and deleted the malicious code on January 6th, it took Google’s crawler at additional 30 HOURS to clear my main websites. (6) And it took an additional THREE DAYS for Google to clear http://DrEpstein.com, which is just a forwarding link to http://DrRobertEpstein.com (where the content is). All in all, access to my websites was restricted by Google for more than 10 days. The fact that Google announced to people around the world that my sites were “attack sites” is also problematic. There’s a big difference between an “attack site” and a site that has been hacked so that it forwards people to another site. Given the nature of the actual threat in this situation, all Google needed to do to protect the public was to post a notice on its search results saying: “WARNING: Do not access this website by clicking on our link! Simply COPY AND PASTE that link into your browser window. Clicking on OUR link may harm your computer!” What Google actually did was inconsistent with the nature of the danger. Sincerely, /re

]]> Comment on Bridging the awareness gap: the need for better communications in the anti-malware space (Part 1) by Bridging the awareness gap: the need for better communications in the anti-malware space (Part 2) | StopBadware Blog http://blog.stopbadware.org/2012/01/23/bridging-the-awareness-gap-the-need-for-better-communications-in-the-anti-malware-space-part-1/#comment-381 Bridging the awareness gap: the need for better communications in the anti-malware space (Part 2) | StopBadware Blog Tue, 24 Jan 2012 14:47:43 +0000 http://blog.stopbadware.org/?p=497#comment-381 [...] Blog ← Bridging the awareness gap: the need for better communications in the anti-malware space (Par... [...] [...] Blog ← Bridging the awareness gap: the need for better communications in the anti-malware space (Par… [...]

]]> Comment on Bridging the awareness gap: the need for better communications in the anti-malware space (Part 1) by swecher http://blog.stopbadware.org/2012/01/23/bridging-the-awareness-gap-the-need-for-better-communications-in-the-anti-malware-space-part-1/#comment-380 swecher Tue, 24 Jan 2012 04:23:13 +0000 http://blog.stopbadware.org/?p=497#comment-380 Thanks for the article!!!!! Thanks for the article!!!!!

]]> Comment on New blog platform by Maxim Weinstein http://blog.stopbadware.org/2012/01/09/new-blog-platform/#comment-350 Maxim Weinstein Wed, 11 Jan 2012 21:31:42 +0000 http://blog.stopbadware.org/?p=471#comment-350 Thanks, Gary! Thanks, Gary!

]]> Comment on New blog platform by Gary http://blog.stopbadware.org/2012/01/09/new-blog-platform/#comment-349 Gary Wed, 11 Jan 2012 21:01:47 +0000 http://blog.stopbadware.org/?p=471#comment-349 I love the new WordPress blog. It integrates (looks) just like the rest of the Site - great work. I love the new WordPress blog. It integrates (looks) just like the rest of the Site – great work.

]]>