Virus removal squad: Ars readers talk security measures

 Let's say you work for a government agency and it becomes apparent that many computers on your network may be infected with some malware. What do you do? Well, if you're the Economic Development Administration, you cut your network off from the rest of the world, hire an outside security contractor, and then physically destroy $170,500 worth of equipment.

Peter Bright brought us the whole story in US agency baffled by modern technology, destroys mice to get rid of viruses. Naturally, this kind of knee-jerk reaction baffled and astounded many of our readers. "Dammit. I'm searching for an appropriate facepalm pic, but there are so many and none are adequate for this," Caedus wrote. LigerRed also sought to forcefully apply face to object in an expression of frustration. "I literally just facedesked," Red wrote.

Other readers were mostly astonished by reports that the EDA's path of destruction extended to the mice that the administration's employees used. "Ah, the scorched earth mouse pad policy. There's just no telling where an infected mouse might point, you know" ColinABQ wrote. maxp0wer was concerned about the EDA's outside security contractor, who seemed to know little about pest removal. "Despite spending all this money, the mouse infestation persists!" p0wer riffed.

But not everyone was so quick to assume that the EDA employs by a bunch of slack-jawed buffoons.Starcraftmazter wrote, "Anyone else reckon they just wanted an upgrade and didn't get the funding for it?"

"To be fair," Krutawn offered, "mice have been shown quite successful in targeted attacks. Most OS's install their 'drivers' without a second thought." InfernoBlade took that idea even further:

The keyboards/mice I can almost understand. Those attach (likely) via USB and can do a whole bunch of happy fun things, including keylogging if they needed to. Hypothetically the monitor could try and do something funny with the EDID but that doesn't seem like it'd be realistic.

It's an overreaction perhaps. But USB devices can definitely be constructed to look innocuous and snoop on a whole lot of shit. Someone takes a Logitech mouse, opens the thing, solders an internal hub chip in there and hooks it to the mouse + some chip to exploit a vulnerability in USB stacks, much like how the PS3 was jailbroken originally. Or a mass storage device with a malicious payload.

And the keyboards, that's just low-effort shit to turn into a keylogger.

FerServadu took a more tongue-in-cheek approach to a generous opinion:

NOAA exists to provide the public, government, and business with credible, objective research and observation on the weather, the seas, and the earth. Its work is often critically important (e.g., that of the National Weather Service and the National Hurricane Center) and is largely conducted by scientists, engineers, and other unbiased professionals. By necessity, one of NOAA's obligations is to properly maintain its network infrastructure.

The EDA exists to spur economic activity by spending money.

Both agencies performed their functions admirably in this case.

And UltimateLemon took the EDA's problem solving skills and ran with them: "What? Jenkins has a flu?! Quick! Burn him outside before he kills us all!"

No feds allowed

One big development from this week involved DefCon founder Jeff Moss asking feds to not attend the renowned hacker conference this year due to rising tensions in the aftermath of the Snowden leaks. Dan Goodin's article, For first time ever, feds asked to sit out DefCon hacker conference, reflected on the rift that's occurred between unaligned hackers and federal employees.

While many commenters got vitriolic in the comments section, some put their more reasoned opinions forward on both sides.

KenM disagreed with Moss' move because both feds and non-feds seem similarly bad. "At least the NSA and other government agencies weren't taking my information and publishing it publicly for laughs, or to 'show people things are broken.' Or taking credit card information and using it to buy things for themselves and forcing me to contact people and give them new credit card information... Both sides do things they shouldn't. There's a reason they're called 'black hats.'"awaken688 had similar reasoning, but came at it from the glass-half-full camp, arguing that both feds and non-feds had good members. "It seems like everyone is assuming all federal agents are bad. What about the FBI agents who go after hackers in bank cases or identity theft? I certainly am glad they are there and hope they can get the best of the best."

Of course, there were many who thought Moss had made the right decision asking feds not to attend DefCon. skippyvsjifshowdown wrote,

This is a smart and yet sadly ridiculous response to the Snowden Affair from a group that should have known better. I understand that this is a security decision and that there are a number of attendees who would love to make the conference into a dramatic agency witch-hunt. It's smart.

dlux saw the request as more of a strategic move to encourage feds to make changes, and to keep the focus on privacy infringement:

I think this is as much a symbolic gesture as practical. Right now the world is focused on the US spying apparatus; six months from now a shiny new crisis will dominate the news. History has well proven that the general public does not have the sustained attention span required to address fundamental problems such as this, so any progress has to be made in short, intense spurts. Mid-2013 is just such a period, and this decision is part of the intensity.

No, this is not an efficient way to run a society, but it's the only way we know how, apparently. Keep the pressure on, ask for 80%, and settle for 30. That's how things get done.

But Mike Gale thought that all that could have been gained will now be lost by excluding the very people most involved in the data collection programs put forward by the NSA. "I reckon a lot could be achieved by talking to one another," Gale wrote. "If a "fed" gets the message from a few hackers that he respects [saying] that they think the government has gone too far and is breaking the constitution, [that] might ultimately have some effect. Might never see it, but at the least there might be an increase in refusing to do marginal and maybe illegal things. Watching the event on a screen won't have that same impact, methinks."

Old tech, new solutions

Dan Goodin also brought us a look into how security experts handle password management in How elite security ninjas choose and safeguard their passwords. After the story went up, Ars tweeted, "Are you an elite security ninja?" to which @TimelessP responded, "If this article even mentions death of passwords and requires personal information instead I'll... ooh look a butterfly!" Definitely follow the butterfly, TimelessP.

In wackier news, Cyrus Farivar brought us a brief about Russia's new security strategy to prevent Wikileaks-style breaches: do away with computers altogether. You can find the details in the story To avoid leaks, Russia turns to… typewriters. "Everything old is new again," wrote@Ziya_Discovery.

Casey Johnston also got hands-on time with Nokia's new Lumia 1020 this week, and you can see her photo gallery In the dark and on the move with the Nokia Lumia 1020’s camera. At the event, Nokia went out of its way to accommodate its audience. "Nokia has us at little blogger desks, each with its own Ethernet cable, bless their hearts," @caseyjohnston tweeted. A bit anachronistic, but hey, it got the job done.