Slashdot Mirror
The Insecurity of Security Software
H316 writes "BusinessWeek is reporting that, despite a number of software products meant to safeguard Windows PCs from harm, a rising number of them endanger their hosts because of poor design and flaws. From the article: 'A new Yankee Group report, to be released June 20, shows the number of vulnerabilities found in security products increasing sharply for the third straight year -- and for the first time surpassing those found in all Microsoft products.'"
Security software is insecure? Maybe it's just having a bad day and needs a hug. *hugs security software*
Be relentless!
This is a few months after MS bought a bunch of security companies? Shock and horror, gentleman.
Yeah, don't know if this has changed, but on one of my machines my "virus" protection software absolutely needed Internet Explorer, and would override my default browser setting to use IE for any of it's "transactions"... Considering the history and track record of IE and my long ago decision to eschew any use of IE this was upsetting to say the least. I cancelled my subscription, sent a letter, and re-upped with a different vendor. To this day, I've never gone back to check to see if this vendor has "fixed" their approach, though I never got any response to my letter. (I choose not to name names, it isn't necessarily about "them"... I find this to be a somewhat absurd universe that an entire industry has grown up around an OS stillborn in the context of capable security (not perfect, just capable!) Heavy sigh...
Not to worry, though, maybe an industry will spring up around the security software industry... providing us with meta-security software...! (even heavier sigh.)
Aside: (but related), I wonder, has anyone ever investigated, researched, done any benchmarks about how many/what percentage of CPU cylces are allocated just for virus checking (and other security checks)?
This after news that Microsoft will be entering the "security" market.
Coincidence? I think not. They were just waiting for the bar to be lowered enough so their crappy product would be marginally crappy compared to the current offerings.
The preceding message was based on actual events. Only the names, locations and events have been changed.
Companies like McAfee and Symantec are out there to make money. Their first and foremost goal is financial profit. Only then do they concern themselves with providing secure security software. It's plainly obvious that profit comes before quality when dealing with PC security software companies.
Cyric Zndovzny at your service.
Maybe this is why Microsoft is starting to get into the security buisness :P
Next thing you know, not only the OS and the programs that mitigate/stop the harm which patches protect needs patches, but also the program that does the patching.
On the plus side, the patch cycle is probably a lot shorter with the security products and automated patching is less of an issue than with the OS itself, which is much more complicated and requires a ton more testing.
see a Text Widget
comparing the combined bugs in an entire industry of sofware to that of one company.
stupid.
"If you put chocolate sprinkles on shit, all you have is shit with sprinkles on top."
The point being, the software that runs on top of any OS can only be as secure as the OS itself.
"Teleporting Rodents with D-Cell Battery Displacement" theory -- IgnoramusMaximus (692000)
"Software is software," says Ken Silva, chief security officer for VeriSign. "I wouldn't classify it as a failure on the part of the security industry. Hackers are just getting a little smarter."
If hackers (crackers?) are getting smarter, and the security industry isn't catching up with them, then I'd say it's definitely the industry's fault.
Guy asked me for a quarter for a cup of coffee. So I bit him.
Windows seems to be responsible for that 40 million credit card breach:
a rd=1600684464&tid=cald _ 0410. pdf5 ,63.83.95.0,63.83.95.255
/ /mastercard.com
posted originally at groklaw:
All of the marketing hype in the world cannot make Micro$oft a better system
http://finance.messages.yahoo.com/bbs?action=m&bo
&sid=1600684464&mid=274625
A Tucson Arizona credit card processor has been implicated in a security breach
which resulted in fraudlent charges and the exposure of 40 MM accounts.
CardSystems Solutions has helpfully posted a Computer Operator job listing. This
makes it clear that the system breached was running M$ OS.
www.cardsystems.com/careers/ComputerOperator
A seperate database developer job posting has a VBScript experience requirement,
leading to the presumption that VBScripts were at the heart of the card
processors data management.
A quality assurance job posting required experience in Windows NT and Windows
2000. Using these obsolete systems was part of the innovative "security
through obscurity" policy of the part of the card processors.
http://toolbar.netcraft.com/netblock?q=UU-63-83-9
3330975
www.cardsystems.com
CardSystems Solutions, Inc., 6390 East Broadway, Tucson, 85710, United
States April 1997
Microsoft-IIS/5.0 Windows 2000
Mastercard is running Apache on Solaris
http://toolbar.netcraft.com/site_report?url=http:
Mastercard International
2200 MasterCard Blvd OFallon MO US 63366
Solaris 8 Apache/1.3.27 Unix mod_ssl/2.8.12 OpenSSL/0.9.7
mod_perl/1.27 29-Jul-2003
Was Mastercard to blame running a decent OS
Or was CardSystems to blame for running Micro$oft crapware.
Exactly. Why would they bother when the sense of security does the trick? They only have to make that sense feel realistic enough...
It takes a man to suffer ignorance and smile
Be yourself no matter what they say
Anyone here actually trust Yankee Group anymore? Remember this? http://linux.slashdot.org/article.pl?sid=05/04/05/ 007214&tid=163&tid=187&tid=109&tid=98&tid=106
Well, it turned out that the study was funded by a windows house: http://filtered.typepad.com/markjones/2004/04/abou t_face_on_y.html "The survey was funded and carried out by Sunbelt Software, a vendor of Windows utilities, which publicised the survey through a mailing list called W2Knews, which bills itself as "The world's first and largest e-zine designed for NT/2000 System Admins and Power Users"."
So who funded this report?
Linux is somewhat ahead in this in that protected memory is part of its "DNA", unlike Windows which ultimately comes from the culture of DOS, which has no protected memory and is not multi-user.
But still, Linux is only just a little bit better. We need to move to real secure designs such as:
..And exactly how would they profit financially from making and selling insecure security software? I think the cause of this is to be found somewhere else - not in the everlasting strive to make Money.
I'm reminded of the Chris Rock sketch where he talks about doctors finding cures for diseases. He asks when was the last time you heard about doctors finding a cure for a disease. It's been a long time. Why? Because there isn't any money in the cure.
To make laws that man cannot, and will not obey, serves to bring all law into contempt.
--E.C. Stanton
It's painfully obvious that for any applications requiring real security, you just plain shouldn't use a PC. I got ragged on a lot by my coworkers, but I always recommended an OpenVMS (on Alpha or real VAX) solution. Funnily enough, that stopped after their PC based solutions running Windows 2003 Server were cracked on a weekly basis. And that was on one of our smaller, less known websites. Our major web sites, which we run off of our OpenVMS cluster, remain completely secure.
Indeed, VMS offers the best combination of security through security and security through obscurity. The system itself is inherently rock-solid, stable and secure. Combined with the fact that most script kiddie crackers, and even some of the more seasoned pros, lack basic VMS knowledge, you're looking at very reliable systems from a security standpoint. The chance of becoming the victim of crackery is very minor.
Cyric Zndovzny at your service.
Instead of fixing the underlying problem most 'security software' (at least at the desktop users end of things) is a patch which restricts, inhibits or breaks some 'weak' feature of the code beneath it. Adding further layers of complexity only increases the chances of creating further holes with the added danger that users feel protected and hence don't pay attention to simple day to day good security practices.
As time goes by I am becoming fascinated by the whole 'security software industry'. It doesn't take a leap of tin foil hat conspiracy theory to get to wonder whether large companies with a vested interest in there being malware in the environment, and who admittedly employ virus writers, might not be playing with an entirely straight bat when it comes to ethics. I wonder if someday soon we will see 'proof' of this in some form when it becomes apparent that a 'security' company had apriori knowledge (ie they wrote it) of a nasty virus which then went on to cause a lot of damage out there. Holes in their software comes as no suprise. In fact when you use a security product you are handing over huge amounts of trust to the writers. Do I trust Symantec et al. No way, for one I haven't seen their source.
Last time I checked, educating people about how viruses spread is a lot more effective than installing an anti-virus program that they don't know how to operate and have no idea how it works.
Bored? Browse Slashdot with a +6 modifier for Troll comme
They make their money from dumbasses and unknowledgable consumers who have been told by some dumbfuck Circuit City employee that "McAfee is secure" or "Norton is secure". Hell, such people may even be managers at large Fortune 500 corporations. Caveat emptor, my friend.
Cyric Zndovzny at your service.
See how many anti-spyware, anti-virus, anti-malware apps there are on sale there, with names you've likely never ever heard of. People who cannot even write semi-reliable shareware are now writing these things, and people like gullible fools are buying them.
On the other side, you have companies like Symantec and McAfee whose best written and supported products have been known to totally hose business PCs at the drop of a hat. Secure? I don't trust them to run correctly, never mind actually do what they were installed for.
None of this is very new, most of it seems obvious, and it is truly sad that it so many will read this and think it a groundbreaking notice instead of an afterthought by the IT world which it is. The horses are out of the barn, and now people are realizing that they got out because the tried using screen doors to hold them in, and they will predictably go look for spline and a tool to put more screening in.
If my grammar and spelling are off, I am [distracted/tired/careless] (take your pick)
Well, the answer here is simple. We need more security products to secure the security products that are securing Windows!
Yes, I do admit that some security software is necessary, however, a lot of folks just need to use some good old common sense. Email, for example, people just blindly click on links in email, not knowing what will happen. And, giving out private info, this happens all to often and then results in identity theft, credit card abuse, etc.
I have a blog entry about email and it has some helpful hints that I wish people would take into consideration regarding security of information.
I don't think its just the fault of the security firms and its also the fault of the users who become overly confident that nothing can harm their computers
Visit my site @ http://www.madtorrent.com
"Combined with the fact that most script kiddie crackers, and even some of the more seasoned pros, lack basic VMS knowledge, you're looking at very reliable systems from a security standpoint."
;)
Security by obscurity, security nontheless. But, as some wise man once said something like this: you can increase a system's security right down to unusability. Security only makes sense when you gain from using it. Personally i do not see the point using vms as a webserver, when you could run it for example on openbsd, which would probably decrease security a bit, but improve your productivity a lot. I'm sorry, the DCL-hating person speaks from me.
It takes a man to suffer ignorance and smile
Be yourself no matter what they say
I've avoided anti-virus programs far as I can recall. I use them, but I don't like to run them in real time or pay too much for them.
Basic problem with them is that they're just more complex code above already complex code, that tries to fix the problems that is mainly caused by that complexity in the first place.
Result is much slower computer that the anti-virus software inadvertly affects like a viruses would.
Stopping programms, and causing something not work correctly.
All virus programs are basically parasites, anti-virus programs are just bigger parasites far as I'm concerned.
They have their place, but they should be simple, free and not be the answer for security. When they are not, they're themselves a risk.
Nobody knows the trouble I've seen, nobody knows has the trouble seen me, even I sometimes wonder why I write these line
The irony is almost delicious, after me using my computer for years without any antivirus program installed on it and not having a single infection, managed to get my first virus through a website and a Java flaw after installing AVG antivirus.
Now Zone Alarm, Black Ice Defender, Symantec, and more have found serious flaws in their security products that actually make them VECTORS for infection by executing the viruses they are designed to detect and safely remove or block. It doesn't make me feel bad at all for using a naked computer all those years, as I may have had fewer unpatched/unknown vectors for infection than if I was running something like Zone Alarm all the time [although to be fair to them, the Windows hole count is far from over].
Saskboy's blog is good. 9 out of 10 dentists agree.
But it is the security firms that promote this idea that if you run their software, your box is "bullet proof". The truth is that these companies are mercenary, and would say just about anything to get people to buy the latest version and than subscribe to updates. I'm not a tinfoil hat type, but there are some who have said such companies have no interest at all in reduction of threats, because it results in lower sales.
"Who are in control, they are not in control of anything - they don't even control themselves!" - Glen Beck
Doesn't this describe the vast majority of companies? Why is McAfee and Symantec obligated to be any different from other companies?
How is Sendmail in any way related to security?
Based on its history, it's probably the closest thing to the exact opposite as you can find.
That might be a popular meme on Slashdot, and Chris Rock is a funny guy. But I just don't see that it's true. Cancer? AIDS? There's tons of money in a cure, thanks not only to the force of drug patents, but thanks also to funds set up specifically to grant big bucks to the first to find a cure.
The case that cures are just as lucrative for pharmaceuticals as treatments is even clearer for for diseases that mainly plague developing nations, such as malaria and TB, since (a) there's not much money in treatment to begin with, and (b) there's plenty of first-world foundations that would happily shell out once for a cure, rather than pay indefinitely for treatments of dubious long-term efficacy.
Like I said, Chris Rock--great guy, good insights. But it's really sort of silly to take humor as gospel.
Told you so.
Now bugger off and sort yourself out. In the meantime I'll be undercutting your prices.
Government of the people, by corporate executives, for corporate profits.
The sick part is that anti-virus software was standard when you bought a new PC (from major brands). Now, you've got to buy their subscription services to use them for more than 30 or 90 days.
Total rip-off considering Windows is just as insecure as ever and IE is the default web browser when you open the box.
I've always said, when a new version of Windows is coming out to buy Symantec stock as everyone has to rush out and buy all new versions of anti-virus. (Not that there isn't free alternatives, but it always happens)
Get your Unix fortune now!
Hackers better start respecting these anti-hack companies then if the hackers want to keep their jobs. It looks like these companies are providing hackers with a new life. It goes something like, Don't bite the hand that feeds you.
Its a choice between heart attack or cancer.
If you're using Windows or any product developped for and/or with Windows, you're vulnerable.
Basically, the problem is with the approach to software develpment. It wouldn't matter whether you were using a Microsof product or a product developped with the development tools.
The end result is you're vulnerable.
MSBPodcast.com The opinions expressed here are my own. If you don't like 'em... Think up your own stuff.
...nah, too easy...
It's painfully obvious that for any applications requiring real security, you just plain shouldn't use a PC.
Absolutely!
What?
>> their PC based solutions running Windows 2003
>> Server were cracked on a weekly basis
Microsoft runs a shitload of web presence on W2K3, and the only case when they had a breach was when admins simply ignored applying patches. Maybe your admin is incompetent? Mind you, I run Linux on my servers myself, but having apps broken into on "a weekly basis" indicates that someone is not doing their job. VMS ain't gonna change that.
I'm sure it's just a coincidence that the Yankee Group, who are not exactly known for the impartiality, have released a report saying that 3rd party security apps (read that, AV, firewall, and spyware blockers) are insecure just as Microsoft gets ready to take their spyware software out of beta and unveil their antivirus software. Riiiight.
Yes, my only tool is a hammer. And you're starting to look like a nail.
I've used Mcafee Antivirus for several years now. The current version I'm using relies heavily on Internet Explorer functionality to work, which is a pretty stupid design. I haven't had a virus warning in years, and Mcafee and Norton are resource hogs, I don't see much point on using them anymore. I'm seriously thinking about dropping Mcafee once my subscription expires and trying something else.
core 2: windows security
core 3:security security
layer 4: real work for PROFIT!
that gives me an idea...dual layer condom anyone?
We're running a BIG website. OpenBSD just doesn't scale to the magnitude we're running at. It doesn't offer the clustering capabilities of VMS. While it's better than Windows 2003 Server security-wise, it still doesn't offer the security of VMS. Switching to OpenBSD would most likely lower our productivity, assuming it were possible. Maybe of our web apps were built up around our legacy COBOL applications. While writing CGIs in COBOL is not very fun, at least VMS can handle that. OpenBSD lacks basic COBOL support.
Cyric Zndovzny at your service.
[1]
So far this year, researchers have only found 22 vulnerabilities in Microsoft's products
[2]
A new Yankee Group report, to be released June 20, shows the number of vulnerabilities found in security products increasing sharply for the third straight year
[3]
Computer-security consultants and researchers are always out to prove they can find vulnerabilities in software.
Umm... no. There's tons of money in a cure, thanks not only to the force of drug patents, but thanks also to funds set up specifically to grant big bucks to the first to find a cure. There is no cure for aids; there are treatments. And for the record, AZT (which was the first treatment for AIDS) was developed 20 years before the spread of AIDS to combat cancer (based on the now-disproven theory that cancer was caused by a virus).
Even the most optomistic AIDS researchers only hope that it can eventually become some kind of chronic thing, where you take a medicine for the rest of your life. (e.g., an anti-retroviaral against which HIV cannot adapt). Ditto for cancer. While everyone is looking, and we constantly hear about these magic bullets that can target cancer but leave everything else intact, the truth is that we have the same options against cancer that we have had for decades -- killing large numbers of cells (cancerous or not) using surgery, radiation, or chemcials.
To make laws that man cannot, and will not obey, serves to bring all law into contempt.
--E.C. Stanton
A new Yankee Group report
This is as far as I had to read in order to see that the article was total pants...
Clue to Business Week - look for impartial sources for stories like this. Yankee Group is well known as being a Microsoft shill company. I'm only surprised that it wasn't written by Laura DiDio.
"Aside: (but related), I wonder, has anyone ever investigated, researched, done any benchmarks about how many/what percentage of CPU cylces are allocated just for virus checking (and other security checks)?"
On a related note - aren't some of those cpu-cycle-eating virus scan options rather redundant? (Serious question) if you've enabled on-the-fly virus scanning of reads/writes from/to the disk, aren't the other options - incoming email scans, for instance - unnecessary? I guess I'm wondering which "added protections" are driven by marketing rather than actual need.
#DeleteChrome
Security through obscurity won't work for one simple reason: if the system is so obscure that hardly anyone can use it, it will be trivial to compromise to anyone who knows what he is doing. If you are worried about script kiddies, it's a workable solution. If you are worried about security, it's not secure unless you have regular 3rd party audits and stuff like that.
Yeah, I agree with that for Windows 9x, but come on man. It's 2006, run windows 2000 or XP. They both have protected memory, and they both are multi user. Get with the times when bashing microsoft. (Oh and the BSOD is also dead except for hardware failures to get your next bash.)
It would be a lot more impressive if you tried for first Relevant post...
They call us sheeple, I wonder why?
I think it's because of cooties. If something is cootie-fied, and you touch it, you get cooties from it. That's why it's called a MS_C_E. Work on and develop and try to fix cooties. Never works.
And if Moz/FF don't look out it's going to get *thoroughly* cootiefied as well, only a matter of time. It happens to everything that touches the big queen mama cootie.
The software can't detect the virus on your machine until it's scanned for it. It can't scan for it until it knows the signature. It can't know the signature until it gets an update from the company. The company can't include the signature in their update until somebody discovers the virus in the first place and reports it. By the time somebody discovers it, it was already there, got to your hard drive, infected it, and left. Buh bye!
The only security is do-it-yourself security. Learn to think like a cyberterrorist, and you will defend yourself from cyberterrorists. Don't just go to the store and buy one of the books marketed to people like you. Those things are always 90% hot air, and only incidentally contain anything useful.
I mean visit the "underground" websites, join the clubs, fake being what they are (they're all fakes anyway, so they'd never make you.) while you learn what they do, learn about TCP/IP, learn Visual Basic and Javascript and other favorite cracker languages, and most importantly, learn what's on your own hard drive. You should be able to do a low-level grovel through your entire directory tree, read every file, and not have a single byte of that data surprise you. Get some kind of tool for tracing processes and threads. You can keep one open all the time, and with practice, you can get to name every process, daemon, and socket before the system is about to use it. Get a hex editor and learn how to read hex - it's the easiest thing in the world, and the editor even helpfully translates text codes into words for you in a side column. You should at least be able to tell what first few numbers start which kinds of files.
I've never relied on a third party for security, and I never will. I've used security software occasionally, and without fail it eventually breaks down. For one thing, security software is usually the first thing targeted and disabled.
Learn or Burn!
just RTFA and you will see that they list Sendmail as one of the security products. So is MS Exchange a security product as well? What about other protocols/applications? Wu-ftpd anyone?
When Microsoft turned on the automated bug reporting in XP the biggest reported cause of crashes was video drivers. But second to that was security software. Virus scanners and the like. Security software has a tendency to dig deep into the system and then crash. Virus scanners will install low-level file system filters to intercept activity, and then have a buffer overflow, bringing the whole system down with it.
Of course since this was found out. Microsoft has been holding security software conferences and getting vendors to fix their shit. And Longhorn tries to more actively fix the problem by sandboxing kernel file system filters amoung other things.
This goes to reinforce the notion that security must come from the bottom up. The security design must permeate the most basic OS and even hardware (witness HyperThreading debacle) design decisions.
That is, unless you are Intel or Microsoft and can afford to spend 10x as much to get something comparable otherwise.
This is the last really major security problem OpenVMS had. Unlike Microsoft there weren't a million and one variants of this, or occurrences of the same problem in different places.
Now, if OpenVMS seems obscure to you, I'm sure these guys will be happy to help make it less obscure. Just log into the DEMO account (the password is USER) and type HELP to start getting around. I mean, they must be insane letting any random person log in and compile and run any code they feel like.
Where's the Kaboom?
There's supposed to be an Earth-shattering Kaboom.
Obviously one of the reasons Microsoft is creating security software is that the existing 3rd party stuff sucks. Their anti-spyware software will be free even out of beta. There's no profit motive there.
We've been running AVG for the past 3 years and it is a perfect solution for people looking to actually have a virus protection system that works.
www.grisoft.com
It will find a LOT of viruses/trojans etc that the 'big' software won't and is completely free for personal use (including updates, no subscriptions etc).
AVG is one of the 3 main applications (along with zonealarm & firefox) that get put down on any machine that i'm called in 'to fix' - which happens on a weekly basis...average people think that because their computer came with norton or macafee that they should use it, but these programs do nothing but give a false sense of security, take up significant processor & memory resources and are basically useless in actually finding or preventing viruses etc from getting onto their machines.
Gekido's Lair
Microsoft has done its best keep windows secure, but the doors are all open.
I loaded a thirty-day trial version of TDS-3 on her machine and found there were only a couple trojans left.
One of them was that goddamn crap that names a file "t?skmgr.exe" - so that you can't delete it from the XP Recovery Console because stupid Microsoft won't let the RC delete command run wildcards (for "security" reasons, right?), and you can't SEE it in Explorer because it looks just like taskmgr.exe, so you can only tell which one it is by looking at where they appear in the file listing. Then they make it a hidden, system and read-only file and of course it's in use by a process, so Windows won't let you touch it.
Bart's PE and Knoppix couldn't help me with this one.
Acting on a tip from the Net, I loaded Winfile, the old Windows NT file manager, and managed to rename it, move it to another directory, so it couldn't be run, and after rebooting into safe mode, I could delete it.
The other trojan was the one that originally was driving me nuts. I forget how I finally got rid of that one.
There was still at least one spyware somewhere, so I loaded HijackThis on and got rid of some more crap.
And finally I found a "Security Agent" from "CastleCops" which was actually a trojan. The service was running but the rest of it had already been cleaned, so I disabled the service.
Plus I went into the Registry and clobbered everything I could find that wasn't a known user, Microsoft or Dell installed program. I think I cleaned out a lot iof spyware keys that even all the other antispyware programs didn't find.
Then I checked the client's account status and found she was running as Administrator, so I switched her to limited. That caused TDS-3 to stop working under her account (apparently it needs not only Admin status to install, but to run, no surprise given what it does). I got confused by XP's stupid "tri-mod flag" technigue of labeling all file folders faux "read-only" into thinking somehow the disk was screwed, but I finally determined that was not the case. So she's back to running as Administrator until I can tell her to create a new account (because I don't know what's been installed by her as Administrator so I don't think it's safe to just change her back to limited - something other than TDS-3 might break) and move her desktop icons over to the new profile.
She seems to be clean now - no system error messages, no popups, and the system seems stable.
It only took me another eight hours - mostly because I don't have a Bart's PE and Knoppix that's REALLY loaded with anti-trojan, AV, spyware and other tools. That's my next project - buff up my bootable tools so I can access ANY file ANYWHERE and kill it.
I get my hands on the asshole wrote that "PurityScan" adware trojan, I'm gonna nail his knees to the floor with railroad spikes - so he stays put while I really do some damage to him.
Somebody needs to start scanning Web sites where this crap comes from, report the assholes to the law, and get the lot thrown in jail. NONE of this stuff came in through email because my client uses Web mail exclusively. That means it came from Web sites. So why not set up a Web scanner that visits suspicious Web sites, downloads this crap into a sandbox, logs everything as evidence, then publishes it as a blacklist - a "reverse honeypot"?
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
But you can do EVERYTHING with Windows from either windows scripting host script (either VBS or JS - your choice) or from the command line. Those who are still clicking boxes deserve to be fired.
Until consumers stop buying broken products just because marketing hypes it up... we'll continue to have this problem. For some reason, big business loves to buy big names even when the product is severely insufficient for the task. No, I'm not talking about OS choice (that's usually a bit more complicated), I'm talking about hardware/software that comes from a big vendor and doesn't perform as advertised. The more the inferior products are subsidized, the more big corporations are encouraged to sell them.
Can somebody explain me how so called Anti_Virus software can work in the first place.
In old DOS time you take a Clean, copy-protected floppy with a DOS operating system, boot from it and then, having a clean OS version, start Anti-Virus program.
Today people just run Anti-Virus software on existing installation, which can be compromised long time ago. A virus can easily go to a stelth-mode or disable checking for itself.
I do not know how modern Anti-Virus-es can work in the first place.
This also perfectly applies to Microsoft's attitude toward security. If it isn't making Bill money, he just doesn't give a shit.
The other problem is programmer quality: if you don't have corporate standards - and quality control people who know enough about code security to enforce them - you get security problems. Most quality control people are just testing the program to see if it WORKS. They need to have people testing it to see if it can be BROKEN - or broken INTO.
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
There is no money in a one shot cure. You pay for an injection and you never get cancer again. They'd have to price that injection VERY high. Treatment? If you have to get a shot every other week, you can charge less and make the money on volume. (Replace cancer with anything. Alzheimers, HIV, or anything else)
Not a Twitter sockpuppet... but I wish I was.
I suspect Norton 2001 may very well be one of the last decent versions of the corporate AV products. Oh well, at least there's the good ol' DOS version of F-Prot(still updated!) that works fine on Windows 3.1/95/98/ME.
Wall Of Shame | OpenVMS Links | Contact Info. | How Can I Help? | Old News...
Users Logged In:
%SHOW-F-OPENOUT, error opening HT_ROOT:[HTTP$NOBODY]USERS.TMP; as output -RMS-E-CRE, ACP file create failed -SYSTEM-W-BADFILEVER, bad file version number
1) "Doctors" (in the usual sense of physicians) don't find cures. MD PhDs, biologists, etc. do.
2) When someone does find a cure or a treatment, that person rarely makes any extra money either way. We actual researchers have no motivation to aim for the best financial solution. It's insulting to see someone taking Chris Rock's _joke_ seriously.
3) Despite my objections to the medical case, I think that this behavior is much more believable in the realm of software.
What I'd like to see in Firefox is a more fine-grained control of policies.
I currently use Firefox with Software install disabled, Java disabled, noscript and Adblock.
There should be the inherent capability in Firefox to restrict _everything_ based on URL regexes or domain patterns. I want to block Java, Javascript, Flash (any plugin for that matter), Cookies, Referrer, User-Agent, a-n-y-t-h-i-n-g and only allow it for certain sites. Currently this works for Cookies and Javascript with external extensions. Ironically, the extension that turns Flash objects into buttons you have to click first requires Javascript, so I'd have to enable javascript for unknown sites. Sucks.
Feels too kludgy. A clean mechanism to define policies for basically anything directly in Firefox would be much better.
Right - the BLUE SOD is now the BLACK SOD.
Yes, Windows 2000 and XP CAN be brought dead to the metal in certain circumstances NOT involving hardware failure. I've seen it.
Besides, the OP's point was that Windows was ORIGINALLY not multiuser or secure and the DESIGN flaws from that are STILL present in the current versions, regardless of their current multiuser and memory protection capabilities. IE (a fucking WEB BROWSER) and its integration into the OS is just one example.
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
Please let me know which corporations use LookOut, so that I know where NOT to spend my money. Every decent company I've ever heard of (and even the shady ones too) uses Lotus Notes.
Both Netscape and MS gave away their browsers dreaming of the marketing potential of networked computers. There really are people who dream of a brave new world run by marketers.
What is even more amusing is that many of the antispyware programs are developed by spyware firms. Some are simply trojans for spyware, while others have the admirable goal of protecting the spyware's programs from other spyware programs. "We will keep our competitor's spyware off your computer!!!!"
Quite frankly the whole idea of providing security by adding more and more layers is flawed. Seems to me that the best approach to security is to build security from the ground up.
is that you can sell that cure for the one-off profit shot and there is no need to patent - if it works, then it will never mbe needed again.
Meanwhile, there are plenty of unneccessary operations being done and all of them are very lucerative. They could move into that.
Ahem - they BOUGHT their software from a third party.
And yes, they WILL be charging for their full security package. Maybe not the antispyware one alone, though.
Read this from back in January of this year (if the plans have changed, I didn't hear of it):
Microsoft Readies 'A1' Security Subscription Service
By Mary Jo Foley
January 4, 2005
Publicly, Microsoft continues to be cagey about packaging and pricing plans for its anti-spyware and anti-virus solutions. But privately, Microsoft has begun informing partners of its plans for a security subscription service code-named "A1," according to developers who requested anonymity.ADVERTISEMENT
Microsoft bought anti-virus vendor GeCAD in the summer of 2003, and anti-spyware maker Giant Company Software last month. As to how it plans to deliver these technologies, Microsoft has declined to give specifics. How, when and if it will repackage GeCAD's technology remains uncertain. Ditto for Giant's--although according to the Windows enthusiast site Neowin, Microsoft is expected to field its first anti-spyware beta based on Giant's technology this week. Neowin said the anti-spyware beta is code-named "Atlanta."
Microsoft officials have said the company is planning to make some form of its anti-spyware product available as a free tool. But that isn't the ultimate plan, partner sources said.
See more stories on Microsoft Watch
Microsoft is currently expecting to field its A1 anti-spyware/anti-virus bundle in the form of a renewable subscription service, the same way a number of other security vendors do, sources said. The service will allow users to keep current on the code needed to combat ever-changing viruses, worms, spybots and the like.
Some elements of A1 are likely to be built directly into future versions of Windows, according to partners. Specifically, some of the security management functionality, such as the security health-validation technology that Microsoft officials discussed last year, would likely be bundled into Windows itself, partners said.
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
On the contrary. Our systems have had years to stabilize and mature. Like I said, attempts to migrate to more recent systems have met with dismal failure, mostly because the proposed PC-based Windows 2003 solutions fall flat on their face security wise. More secure solutions, like OpenBSD, just can't handle the workload. They don't offer the clustering support we need, let alone the infrastructure necessary for an operation the size of ours.
A switch to a non-VMS, non-COBOL solution would markedly decrease our productivity. We need systems that are up 24/7/365/forever. We can't afford to lose time rebooting our system because we had to apply the latest service pack to keep little kiddie hackers from breaking into our network.
Cyric Zndovzny at your service.
I disagree. Remember the browser wars? By the time enough people were objecting to the bundling of IE with Windows, it was too late. The consequence? Browser monoculture.
When MS bundles AV software with the OS, it is too easy for Joe Sixpack to adopt that as his AV solution. Then it's MS de facto standards for Windows, Office, and computer security. Even harder to get people to switch.
When MS offers another "secure computing" initiative that 'natively' integrates with MS AV, adoption is immediate and almost total across the Windows install base. The fact that the "secure computing" initiative contains strong IP protection, and maybe hardware integration, and maybe transparent usage reporting is never made clear to the average end user.
Never assume that an attempt to increase market share/integration/adoption by MS does not have a profit motive. There are few altruists working on Redmond Campus.
For these really different systems you point to, RELIABILITY is also a key point (and closely related to security). You think >1 year uptime for a BSD box chugging away in a basement is good? How about 17 years uptime? And that's when they pulled the plug, not when it died.
I think for really secure + reliable designs you should look at micro-kernel based systems like L4Linux or Gnu's HURD (also moving towards L4). Note: not saying these systems are ready now, because they're still under development, and may have a long way to go before they're 'done'.
Leaves me to wonder: for RUNNING such systems, what hardware would be suitable, if you don't want to shell out the money for redundant, hot-swappable, server/cluster-style hardware? Any reasonable cheap, common hardware around with added reliability features included?Did anybody actually READ the article? Did anyone notice that the number of vulnerabilities DROPPED every year? How the fuck is that "increasing sharply for the third straight year"?? Or did every dumbass who looked at the chart forget to read the damn legend?
Something I think too many people forget is that passwords are security through obscurity. It isn't something that should be relied on if you don't have to, but it's better than nothing.
Do a Google search for "IP6." It's a substance found in a number of food crops. Check this guy's website for the article. Sardi is one of that rare breed called "the anti-AMA doctor."
The AMA and the pharmacutical companies are full of shit. When insitutions like these become sufficiently corrupt, they become fixated upon maintaining their priveliged position in society rather than upholding their stated purpose.
"OH SHIT, THERE'S A HORSE IN THE HOSPITAL!"
Here is an old Arab proverb that goes something like this:
"Five percent of the people think. Ten percent of the people think they think. And eighty-five percent of the people would rather die than think."
I chuckled the first time I heard that one, as clearly the saying was coined with humor in mind. So it's a joke, right? Or is it an accurate assessment of the way human society functions? Or is it both?
Perhaps you think all those comedians are trivial clowns with nothing important to say, but I respectfully disagree.
"OH SHIT, THERE'S A HORSE IN THE HOSPITAL!"
This is just another nail the coffin of the whole "anti-virus" idea. Even since Melissa (and even earlier) it's been plain that AV software's ability to prevent infection is always going to be limited. Take Explorezip - the company I was working for at the time of that outbreak was running up-to-date AV software. Yet we got completely smashed by that Trojan when it came in over the email and had to wait about 12 hours for a fix.
The sheer rage on the MDs face when he met the IT director was amazing. How come we had been shut down by a virus when we had been paying hundreds a month for "protection"?
The use of AV software is, in my opinion, stupid. Shutting gates after the horse has bolted is bad enough, but having to PATCH that software's OWN VUNLERABILITIES is sheer lunacy.
People in generations to come are going to laugh at us. They are really, really going to laugh at hose naive and stupid we were to let the AV industry utterly lead us up the garden path.
Oh, and how we let Microsoft make it all happen in the first place, natch.
"And the meaning of words; when they cease to function; when will it start worrying you?"
Looking through all the replies, shows how alot of Windows bashers don't know how to use Windows.
It's OK to hate something you don't understand.. n00bs.
If a shell process is made to run malicious code through a vulnerability (even from a hole in IE) or user negligence, it has exactly the same rights as the current user. If the user is running a web browser as an administrator to browse untrusted sites, then that's just user stupidity. It has nothing to do with the OS's design.
IE's integration into the Windows shell is just like KHTML's integration into KDE's shell or WebCore's integration into OSX's shell. They're each a set of standard libraries for rendering HTML for various UI components.
Yes, the defaults for setting up a normal user account are poor. Defaults != OS design.
Yes, there is a lot of software that needs excessive privileges to run properly. This is not the fault of the OS, but of developers who can't be bothered to write good software. The most that could be blamed on the OS design is that the security model is too complex, but even then, the errors are almost always things that would be illegal on UNIX too, like writing to the same directory that the program binaries are installed in.Windows NT has always had a secure, multiuser design. (unlike UNIX where security was taped on as an afterthought) Your only example about IE integration has little to do with OS security, and hardly distinguishes Windows since KDE and OSX do the same thing.
Bring up some of the other supposedly myriad design flaws in Windows NT based OSes.
The problem with most of these security applications is that ultimately, all they're really doing is trying to address the symptoms of an underlying problem / "disease". It's just yet another layer of workarounds stacked upon still more workarounds, none of which ever seem to fix the core problems. There is only so much that symptomatic treatment can do for you, at some point it becomes better to just throw out the entire foundation and build something from the ground up again, 'properly', with security in mind from the beginning. It seems to me the Windows codebase is such a tangled mess that at this point it's probably become extremely costly for MS to maintain, slow to enhance and extend, and changes break things too easily so one fears changing things --- it seems to bear all the hallmarks of 'spaghetti code'.
Why is this such a mystery?
A firewall can not protect you from yourself. Turn off what you do not need. Do not use the firewall to do your work.
Did you read what I wrote? Of course there is no "cure" for AIDS or cancer--yet. But we can certainly expect to see better and better treatments in the future (and not just in the realm of pharmacology), treatments that will not require the patient to require care on an ongoing basis. That's what I call a cure.
Now I'm not sure what you mean by stating that the best cure for cancer that science can hope to find is to make it a chronic ailment, like HIV infection currently is, or how it's relevant to your flippant claim that there's no money in cures. Perhaps you can clear that up.
So I am over at my inlaws house the other day, and of course, they ask me about a sick PC..
So i manage to download Process Explorer, and guess what process is using ~90% of the processor cycles?
Norton Antivirus.
De-installing Norton was strangely easy, and a boot scan with avast! showed... no malware.
The system cripping 'virus' in this case, was Norton Antivirus.
... and we're about as "Big League" as you get.
Cyric Zndovzny at your service.
IIRC, he was talking about Smallpox and why Smallpox was the last disease you heard about being "cured". The answer is that the natural host of Smallpox was humans. If you then contrast that with something like Ebola where we don't know yet what its natural host is (some suspect that it comes from plants), then you begin to see why it's so hard to eradicate a disease. It's not that hard to control a virus that lives only in humans, but a virus that lives in many animal or plant species will be next to impossible to eradicate.
Corporation are out to make Money?? HOLY SHIT BATMAN, THATS FUCKING INGENIUS!!!! Wow... What a shock. All this time I thought corporations were for helping children living in africa. I dont suppose lawyers are out to make money, too? Only you would know a thing like that Shirlock!!!
Disclaimer: On the other hand, I am kind of a psycho...
http://img.photobucket.com/albums/v238/saskboy/mca feesucks.jpg
.pif file, from a virus that came out many days before October 30, 2003 as you can see the date in the corner. If you do a google for paris.pif I'm sure you'll find what day that particular virus was added to the McAfee definitions. I knew at the time, but nearly 2 years later that detail isn't at the front of my brain.
As you can probably make out, it's a
Saskboy's blog is good. 9 out of 10 dentists agree.
"There are a lot of people claiming to run uninfected naked machines for years.
Invariably what it means it they don't run ANY Microsoft products that access the Net - no IE, no Outlook, no Outlook Express, no nothing. AND they patch everything anyway."
I'm one of those people making that claim, because it's the case with me. I started running with DOS and never got infected, nothing during Windows 95, nothing during Windows 98, nothing on Windows NT or 2000 at work, and it took 2 years into XP for me to accidentially infect my machine with Java Byte. There were several machines I worked on that had viruses, but with a bit of luck, and best practices I never transmitted them to my own computers.
I used Netscape 3 then 4, then IE 4, 5, then 6, and now Firefox and Mozilla Suite with IE occasionally. I had Command AV on my system for about a year with it stopping no viruses, and it was free - offered by my University. I currently have AVG and it has stopped no viruses including the Java Byte which I think I found with an online scanner like Housecall, but perhaps I forgot and AVG did find Byte in a scan so I could remove it.
"They also never indicate their volume of email, volume of Web site access, nature of Web site access (do you access sports sites, porn sites?), etc."
Email volume would be about 50 a day for the past 8 years, considering the varrying levels of Hotmail spam, and multiple accounts.
Several webpages a day, random sites, not all big names like eBay, and my bank, or CBC. Pleading the 5th on the last part of your question, but suffice to say IE was exposed to a lot of site variety possibly even sites advertising "Free" programs [which clearly I avoided].
"It's been demonstrated that XP will get infected in twenty minutes put on the Net without patches and security software."
I knew this, and took steps to patch it before running naked [on a campus LAN which isn't true Inet nudity perhaps?]. I'm still running SP1, since I'm behind a router, and I'm more concerned about breaking applications that I like and might not work with SP2, than I am with one day encountering something that can make it through my router and/or something I install myself my accident.
"I got TODAY THREE viruses downloaded from my SBC Yahoo email account via Thunderbird (detected and cleaned by Avast). Without Avast running on my system, I probably would have viruses all over my system."
I wouldn't be as concerned as you were, and I wouldn't need Avast to protect me, unless there's a Thunderbird exploit I've not heard about. The human brain when properly trained is the world's most effective AV software - don't view bad emails and don't open attachments.
"I just got through yesterday cleaning a client's machine that WAS naked on the Net with no patches, no firewall and no AV. Hundreds of spyware, hundreds of trojans."
I have no doubt about that. I do that cleanup for people too. That's WHY I can run a naked machine and be ok, I have experience they lack.
"It's bullshit to generalize that running naked is safer than having security software."
Obviously it's not total BS, although for 95% of computer users, and it sounds like you included, you either need or think you need AV software to survive in the Wild West of the World Wide Web. My six shooter is my brain, and Delete key [and Windows patches and/or a router/firewall]. When you think about it, you have to count the number of vectors introduced by a product like McAffe and Zone Alarm, and then subtract the holes in Windows to get the true picture of which machine is more vulnerable. Does Zone Alarm take away more holes than it creates? Most likely, but it also introduces new means of attack clearly, and gives some users a false sense of security which I don't allow myself to be lulled into.
If you've read to this point, I congratulate you, I was rambling practically, but hopefully I've showed I'm not BS'ing you. Perhaps I've been using "extreme computing" to avoid viruses, but it's wor
Saskboy's blog is good. 9 out of 10 dentists agree.
No, it had nothing to do with smallpox.
That's right, we got AIDS out there. You think they're gonna cure AIDS? No. They can't even cure athlete's foot. They ain't curing AIDS, shit. They ain't never curing AIDS. Don't even think about that shit. They ain't curing AIDS because there ain't no money in the cure. The money's in the medicine. That's how you get paid, on the cutback. That's how a drug dealer makes his money, on the cut-back. -- Chris Rock, Bigger and Blacker, 0:29:32-0:31:02
To make laws that man cannot, and will not obey, serves to bring all law into contempt.
--E.C. Stanton
Or, at least, don't use the current version PC.
Come one, come all! See the amazing (NT) new
technology being developed by MSFT. Rely no more
on even our "Most Secure OS Yet(TM)" without also
using Palladium. Your computer will not permit
you to make a mistake and load a virus, worm,
trojan, or spyware. We trust our "Trusted Computing
Environment" and so should you. "You must give up
some of your rights (on your computer) if you truly
want to be safe." Everyone from Dubya to Ashcroft
to Bill Gates is on the same page on this one.
Just trust us - we know what's best for you.
Oops! Wrong alternate universe!
Better still, forget about all that closed source
security software and switch to F/OSS. You still
can forget the (current generation) PC if you really
want to -- go ahead and dig out that old P-III 800
MHz box from the basement and put SE Linux on it,
or perhaps OpenBSD. Save money! Amaze your friends!
Frustrate your enemies! Get on the bandwagon now.
What?? that's not interesting. That's masochistic. The whole point of buying antivirus is to PAY others to become experts on those very things so you can get along with your life doing something more interesting to YOU. If you want to become an expert, great! Go ahead and make some scratch selling your services. Everyone doesn't have time for that. In fact, that's how civilization works: everyone is a specialist and does their thing to the best of their ability.
To carry your principle to the absurd, I offer this analogy.
Told ya, I've never had faith in a national military, since the concept first came out. They can't detect every threat imaginable and they sometimes make mistakes. Don't just go and pay your taxes for people to protect you, Take matters into your own hands.
I mean, Join a local militia and stockpile weapons to protect yourself. Research and buy body armor, wear it, and make sure your family members never leave the house without it. In fact, don't live in a city (that's where a lot of crime happens) Move your family out to rural suburbs, dig a moat and build your house out of reinforced concrete 1000 feet below the surface. Just to make sure you're safe, go to ceedy bars and work your way into the various gangs. They're all crooks and theives so they won't notice your infiltration. Get an enigma machine and learn to decrypt foreign communications. You should be able to at least tell where their major troop movements are.
(Also, you shouldn't buy your weapons and tanks, you should learn to forge steel from ore you find under the ground and mill into the appropriate shapes)
Can you be Even More Awesome?!
There is an economic motivation to botting that there is not to data destruction, and widespread distribution of your virus requires making it non-destructive and, preferably, transparent to the user. Then you can sell your 100 million bots for a million dollars. Nobody ever made a red cent off of destructive viruses. It doesn't follow that people are writing viruses now to create a demand for their products. For one, exposure would be all but inevitable (one disgruntled employee in an industry where 20% is a nice, low churn) and would destroy the company, and where all the competitors have an active incentive to trace the virus back to your door and are experts who made the tools to do so.
Help poke pirates in the eyepatch, arr.
So IE is not integrated into the OS, only the shell, eh?
And why then can it not be removed without significant problems?
"Windows NT has always had a secure, multiuser design. (unlike UNIX where security was taped on as an afterthought)"
This statement is too bizarre to even consider responding to, if for no other reason than that UNIX predates NT by twenty years. And yes, for a good part of that twenty, security was not a great issue - mostly because viruses weren't even discovered until the early 1980's (and were developed on UNIX machines since sys admins in those days were naive - much like Windows sys admins are still today.) It changes nothing - UNIX has had more security features than Windows for many years.
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
I've no idea how you did other than pure luck.
I also don't know what you mean by AVG not stopping any viruses since it stops mine quite nicely. I know there aren't any known Thunderbird exploits that would make it easy for the viruses in my emails to infect my system, but it's nice to know that AVG is in fact stopping the ones that do show up.
Patches help, but they're not perfect, either. And patches have new vectors, too, in some cases.
But if you can do it, fine. I still say that 95% of computer users who try your advice will end up like my clients.
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
I agree, 95% of computer users today would end up like your clients, and my clients too. However, my point was that the reliance on AV products to protect a computer has been overhyped because education is far more effective [unless it was luck]. But 10 years of luck, 7 of which I had email?
Even you, an educated person in the area of computers place too much stock in Avast protecting you from email viruses. Them simply being received isn't much of a reason to get excited or predict that without an AV product they'd probably somehow magically leap out of your inbox or deleted box into your hard drive's nooks and crannies. If you're talking about a business handling very sensitive information maybe I'd be concerned too, and investigate if that certain virus coming in has the potential to exploit a flaw in the email client, but I assume you were talking about your home machine.
Saskboy's blog is good. 9 out of 10 dentists agree.
As I've been saying before, it's not just that they're insecure too, it's that it's a pain even when working as intended. In fact, it's often worse not just than Windows's being vulnerable, but actually worse than being virused.
They're slow for a start. At work we've tried copying the same large directory full of many small source files to a file server, once with Norton Antivirus running on the workstation and once without. Without it takes tens of seconds. With it, it takes slightly over 40 minutes.
And we're talking pretty good workstations. I hate to think of the poor bugger running it at home on some Cyrix 300+ box. (Yes, there are quite a few of those still in use.) I believe being virused and spywared six ways to sunday wouldn't slow their machine as much.
But wait, it goes downhill from there.
At one point I wanted to install Windows 2000 on a new machine. As fate would have it, I didn't have a firewall on a CD, and didn't know yet about the IPSec filtering built into Windows itself. (Yeah, noob.) So I decide to make a sacrificial install, let it get virused (took 10 seconds flat) while I download a firewall, then format and reinstall.
But then I get curious, and after blocking the ports, I try to play with the virus. The saddest part? Installing Norton didn't even recognize it. The almost as sad part? It slowed down the machine more than the virus did.
And then it goes even more downhill, e.g., McAffee. Ooer. Now that was a festering piece of crap.
1. Probably the "least" of problems: the ActiveX updater requires IE to run, but it's too stupid to actually launch IE. It launches whatever default browser is currently configured, e.g., Mozilla or Opera, and then can't update. So basically if you installed Mozilla or Opera on someone's computer to protect them from IE exploits, they won't be able to update McAffee. Stupid.
2. At one point, after an update, I ended up with _two_ versions of it running at the same time. Presumably because the original installation was on the "D:" drive, while the stupid updater installed the new version to the default directory on "C:". So then I had both running at the same time (and slowing down the machine accordingly.)
It's just sad, folks. You know that a piece of software is written by retarded monkeys when it can't even remember a simple setting like the install directory.
3. Their "privacy" part, and the fashionable rushing to proclaim _any_ cookies as "spyware", basically made it impossible to use any web site that requires login.
4. When uninstalling it, point 2 struck again. It only uninstalled one of the versions, and left the other running. With no obvious uninstaller entry, or any other recourse than to manually edit the registry and manually delete files. (Did I mention "coded by clueless monkeys" yet?)
And so on.
And then there's the occasional over-reacting oddball, like G-Data, which (among other nuissances) quarantined all versions of MIRC I had downloaded or installed, for no reason than IRC being in their opinion a security risk. Not a discovered vulnerability in it, not a virus, just an opinion that IRC is bad. Right. So does that mean they'll quarantine IE and Outlook Express soon too, or? Disable the TCP/IP stack because that's where viruses come from? Or?
Or, G-Data again, which still can't keep their code and data segments separated, so it won't run with the NX (no execute) bit protection in XP. Riiight. So a security product can't deal with the Windows security option that prevents buffer overflow attacks. I'm impressed.
I dunno, it's an industry that I find outright sad. Now I can understand a corporate intranet blog site, or something else that doesn't really matter, being coded by cheap monkeys off the street and designed by marketroids purely for buzzwords' sake. ("Oooh, let's _pretend_ we save them from spyware too.") But from an industry whose self-proclaimed goal is to make Windows secure, they have no excuse for doing such a half-arsed job.
A polar bear is a cartesian bear after a coordinate transform.
even 15-20 (although 20 is cutting it fine, the XT only came out in 1981) were HARMLESS.
Oh yeah, everyone remembers Michelangelo, Stoned and say One-Half. But, as I worked security, I remember viruses such as B1, Form and others that were far more common and that were (for the most part) harmless.
Sure, there are still some people of limited ability who cling to VMS _decades_ after it became obsolete, but this is more a reflection of their failure to adapt and evolve than anything else. It's simply not necessary to use such a primitive operating system to achieve a high degree of security. Contemporary open-source 'nixes (by which I mean Linux and *BSD) are vastly superior in terms of both functionality and performance, and of course do not share the inherent design flaws which doomed VMS a very long time ago.
Whenever people argue for these snakeoil fixes, I usually drop a simple statement -
"Hell Hath No Fury like a Determined Idiot. I'm living proof."
While it might not convince them to approach the problem correctly, without fail it gives them pause...
help me i've cloned myself and can't remember which one I am
Our major web sites, which we run off of our OpenVMS cluster, remain completely secure.
"remain completely secure" = "Hasn't been broken yet (at least that we know of)."
It's a failure of our market system... what makes a successful software company, and what makes a "good" product in an engineering sense (qualities such as functionality, robustness, etc.) are not the same.
It's financially better (especially in the short term) to rush out a crappy product than to provide something that works. Brand reputation isn't a quality motivator anymore, because the executives (who make these kinds of decisions) will be at a different company in a few years; why should they care if their current company is bankrupt by then?
This is what makes Open Source software better in an engineering sense; there are no "successful software company" types of contraints imposed upon it.
This is why I have a preference for hand-rolled OSS solutions instead of firewall / email-scanning / security "products". Unfortunately, our IT guy doesn't have enough development experience to be this cynical about commercial software, so he'll never understand why my Linux boxes are more trustworthy than commercial security products.
Paris Hilton is HIGHLY overrated. I don't think she's really that great to look at.
Having a smoking section in a public restaurant is like having a peeing section in a public swimming pool.
[1] 22 vulnerabilities
:-)
Funny, Secunia lists 32 Vulnerabilites in Microsoft Products for 2005.
I guess it's the 10 new ones for June that they are missing
I know that a virus that is not able to be executed is harmless - it's the ones that can use a flaw in the email client or other program to run that worries me. I mean, jpegs that can contain viruses - who would have suspected that before the GDI flaw was found? Theoretically possible, of course, but ONLY if the program displaying them had a flaw that allowed it.
I can risk my AV having a flaw that allows them to get past, but why should I take the risk that all the other programs I use DON'T have flaws? Your suggestion that security products just add vectors makes no sense, as one could say the same about any software. The issue is whether the security software protects against more vectors than it contains.
It's a matter of common sense, not paranoia. You take the security precautions you can, because while most of them may be superfluous under NORMAL conditions, you can't know which ones are until the attack occurs or which ones turn out to be critical. This is common security practice in any area of security.
And despite the fact that, in some cases, the very security you employ can be used against you by a clever attacker is not justification for not using it. It is merely justification for being aware that it can be used against you.
Being complacent about security is the best way to have NO security at all when an attack comes.
AV products may be overhyped, I have no quarrel with that, but "education" that ignores some of the possibilities is nearly as bad as no education at all.
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
In response to your earlier comment:I said that the design of Windows NT has always been secure and multiuser. NT has little in common with the other Windows line under the surface. Name one design flaw present in the first version of NT (3.1) that still exists in the current version (Server 2003 or 5.2). I don't understand what's so bizarre about that.
It's hard to compare to UNIX because there are so many variants, and I'm only familiar with a few of them. Still, standard Linux still uses the ancient RWX permissions, and gives each user one primary group. This is hardly as flexible as ordered accept/deny ACLs. Many UNIXes don't have an auditing system as deep as NT's. It's usually up to whatever resource manager to do its own auditing, if it's supported at all. I'm still looking for an equivalent to NT's restricted tokens in a common UNIX.