Slashdot Mirror
The Insecurity of Security Software
H316 writes "BusinessWeek is reporting that, despite a number of software products meant to safeguard Windows PCs from harm, a rising number of them endanger their hosts because of poor design and flaws. From the article: 'A new Yankee Group report, to be released June 20, shows the number of vulnerabilities found in security products increasing sharply for the third straight year -- and for the first time surpassing those found in all Microsoft products.'"
Companies like McAfee and Symantec are out there to make money. Their first and foremost goal is financial profit. Only then do they concern themselves with providing secure security software. It's plainly obvious that profit comes before quality when dealing with PC security software companies.
Cyric Zndovzny at your service.
Next thing you know, not only the OS and the programs that mitigate/stop the harm which patches protect needs patches, but also the program that does the patching.
On the plus side, the patch cycle is probably a lot shorter with the security products and automated patching is less of an issue than with the OS itself, which is much more complicated and requires a ton more testing.
see a Text Widget
"Software is software," says Ken Silva, chief security officer for VeriSign. "I wouldn't classify it as a failure on the part of the security industry. Hackers are just getting a little smarter."
If hackers (crackers?) are getting smarter, and the security industry isn't catching up with them, then I'd say it's definitely the industry's fault.
Guy asked me for a quarter for a cup of coffee. So I bit him.
But on the contrary to Open Source OS's like linux, windows actually has some worthy software it can run.
:D
Ofcourse your system is more secure when theirs less software available for that platform
I'm reminded of the Chris Rock sketch where he talks about doctors finding cures for diseases. He asks when was the last time you heard about doctors finding a cure for a disease. It's been a long time. Why? Because there isn't any money in the cure.
To make laws that man cannot, and will not obey, serves to bring all law into contempt.
--E.C. Stanton
Instead of fixing the underlying problem most 'security software' (at least at the desktop users end of things) is a patch which restricts, inhibits or breaks some 'weak' feature of the code beneath it. Adding further layers of complexity only increases the chances of creating further holes with the added danger that users feel protected and hence don't pay attention to simple day to day good security practices.
As time goes by I am becoming fascinated by the whole 'security software industry'. It doesn't take a leap of tin foil hat conspiracy theory to get to wonder whether large companies with a vested interest in there being malware in the environment, and who admittedly employ virus writers, might not be playing with an entirely straight bat when it comes to ethics. I wonder if someday soon we will see 'proof' of this in some form when it becomes apparent that a 'security' company had apriori knowledge (ie they wrote it) of a nasty virus which then went on to cause a lot of damage out there. Holes in their software comes as no suprise. In fact when you use a security product you are handing over huge amounts of trust to the writers. Do I trust Symantec et al. No way, for one I haven't seen their source.
See how many anti-spyware, anti-virus, anti-malware apps there are on sale there, with names you've likely never ever heard of. People who cannot even write semi-reliable shareware are now writing these things, and people like gullible fools are buying them.
On the other side, you have companies like Symantec and McAfee whose best written and supported products have been known to totally hose business PCs at the drop of a hat. Secure? I don't trust them to run correctly, never mind actually do what they were installed for.
None of this is very new, most of it seems obvious, and it is truly sad that it so many will read this and think it a groundbreaking notice instead of an afterthought by the IT world which it is. The horses are out of the barn, and now people are realizing that they got out because the tried using screen doors to hold them in, and they will predictably go look for spline and a tool to put more screening in.
If my grammar and spelling are off, I am [distracted/tired/careless] (take your pick)
Yes, I do admit that some security software is necessary, however, a lot of folks just need to use some good old common sense. Email, for example, people just blindly click on links in email, not knowing what will happen. And, giving out private info, this happens all to often and then results in identity theft, credit card abuse, etc.
I have a blog entry about email and it has some helpful hints that I wish people would take into consideration regarding security of information.
"Combined with the fact that most script kiddie crackers, and even some of the more seasoned pros, lack basic VMS knowledge, you're looking at very reliable systems from a security standpoint."
;)
Security by obscurity, security nontheless. But, as some wise man once said something like this: you can increase a system's security right down to unusability. Security only makes sense when you gain from using it. Personally i do not see the point using vms as a webserver, when you could run it for example on openbsd, which would probably decrease security a bit, but improve your productivity a lot. I'm sorry, the DCL-hating person speaks from me.
It takes a man to suffer ignorance and smile
Be yourself no matter what they say
The irony is almost delicious, after me using my computer for years without any antivirus program installed on it and not having a single infection, managed to get my first virus through a website and a Java flaw after installing AVG antivirus.
Now Zone Alarm, Black Ice Defender, Symantec, and more have found serious flaws in their security products that actually make them VECTORS for infection by executing the viruses they are designed to detect and safely remove or block. It doesn't make me feel bad at all for using a naked computer all those years, as I may have had fewer unpatched/unknown vectors for infection than if I was running something like Zone Alarm all the time [although to be fair to them, the Windows hole count is far from over].
Saskboy's blog is good. 9 out of 10 dentists agree.
It's official. The cure for Windows is worse than the disease.
Sounds like a Soviet Russia joke waiting to happen.
Imagine telling someone you don't run Norton/McAffee/etc... because it's not secure. Now you have to switch to Linux/OS X for both a more secure operating system, and more secure applications.
-- I'm old enough to have lived through six different meanings of the word "hacker."
Norton Antivirus, despite regular updates by LiveUpdate, does not give full scans in that it does not find certain very frikkin' major trojans on any Windows system. The Shinwow virus that still resides on my XP system is a case in point, as is the Java byte exploit which allowed another user on the system to accidentally have it put there by some scurrilous website,
On Mac Norton Antivirus lost a lot of respect, and a lot of Mac users will just tell you that AV is for suckers anyway, but Norton pissed off people when their existing disk utilities (Speed Disk, Disk Doctor I think) which handled drive optimization was not Panther compatible. Certain people (those running the 10.2 Norton on Panther 10.3) lost complete functionality on their hard drives ("churning" is how I saw it described) requiring formatting with (AFAIK) no chance of file recovery. Same goes with using Norton 9 on Tiger - don't.
When using Norton Antivirus year on year the 'upgrades' mean that your boot time, and logon times increase. See my first point that this does not mean that you are more protected as at least one older known trojan is still undetected by a full system scan.
If you enable Program Launch Monitoring then Norton will tell you about absolutely every little thing that accesses the internet. This is a good thing, but from what I can see, they've taken out the damn option to "Don't show me this bullshit again, of course Firefox is going online!" and it keeps happening.
Just earlier today, I let Norton integrate itself into my Dad's mail client, Outlook Express, then I got 5 warnings that NORTON was being called by another program, and accessing the internet. This isn't even the veil of a false sense of protection. I increasingly think this junk is being coded by morons. Compared to each other, EZ Armour, eTrust Antivirus whatever it's called runs a scan faster, finds more, and I trust it more. It's not any worse to boot speeds. And while 'the devil you know is better than the devil you don't' I'm looking to return to some sort of honeymoon period so that you don't feel cheated and abused for spending on a program which you need due to stupid security holes and ignorant malicious script kiddies.
My antivirus experience is getting so bad, and so resource intensive, that I have taken to schooling every member of my family who use the computer and who will listen, and I am showing them how everything can be done as promptly on SuSE 9.1 Pro in KDE with Firefox and KMail. This switch is nothing to do with Windows frustrations which are relatively minor, this is just to do with lugubrious boot times and all those lost proc cycles.
Since I'm sure there will be indignant MS/IE fanatics reading this topic and carpetbombing every thread with the MS PR mantra of "all computer systems are equally insecure" and "MS is only a target because they are so popular" it would be a good place to ask a question.
It seems like the only reason you continue to run IE is some form of face saving. You'v spent years telling everyone you know that MS/IE "is the only way to go because MS is always teh winner!" or something along those lines. And now that the public/press has finally woken up to the MS/IE security nightmare you have a choice:
1) Quietly sitch to Firefox or some other safe non-IE webbrowers and pretend like you hadn't run your mouth off about MS for so many years
2) Stick it out with IE. "No one is making me switch!"
Boggle, there actualy are people out there in camp 2) Why?
Oh god what is really scary is that I can imagine a slick salesman selling someone Antivirus-Antivirus software. It makes sense if you are a laymen.
In a sense (pun intended) it's already happening. Not only is the virus called "anti" sold, it often even comes pre-installed.
Have you ever heard of a patched roof being sounder than the original?
I disagree. Remember the browser wars? By the time enough people were objecting to the bundling of IE with Windows, it was too late. The consequence? Browser monoculture.
When MS bundles AV software with the OS, it is too easy for Joe Sixpack to adopt that as his AV solution. Then it's MS de facto standards for Windows, Office, and computer security. Even harder to get people to switch.
When MS offers another "secure computing" initiative that 'natively' integrates with MS AV, adoption is immediate and almost total across the Windows install base. The fact that the "secure computing" initiative contains strong IP protection, and maybe hardware integration, and maybe transparent usage reporting is never made clear to the average end user.
Never assume that an attempt to increase market share/integration/adoption by MS does not have a profit motive. There are few altruists working on Redmond Campus.
Why is this such a mystery?
A firewall can not protect you from yourself. Turn off what you do not need. Do not use the firewall to do your work.
Virus detection software isn't security. It's a patch for faulty or insecure system design. That's why it's not needed on very many systems these days.
A firewall can not protect you from yourself. Turn off what you do not need. Do not use the firewall to do your work.
Basically useless?
I run McAfee, and ofcourse I don't know how it's programmed, and I agree it uses a lot of memory and sometimes a lot of cpu as well, but useless? No, I wouldn't agree. I'm virusfree for at least 4 years, and the Firewall notices me at least once every 2 days that some computer is trying to access my computer. Are you saying I do have virusses and that the notifications are false positives?