Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Insecurity of Security Software

Posted by Zonk on from the save-me-from-myself dept.

H316 writes "BusinessWeek is reporting that, despite a number of software products meant to safeguard Windows PCs from harm, a rising number of them endanger their hosts because of poor design and flaws. From the article: 'A new Yankee Group report, to be released June 20, shows the number of vulnerabilities found in security products increasing sharply for the third straight year -- and for the first time surpassing those found in all Microsoft products.'"

5 of 264 comments (clear)

  1. Verisign by tehshen · · Score: 4, Insightful

    "Software is software," says Ken Silva, chief security officer for VeriSign. "I wouldn't classify it as a failure on the part of the security industry. Hackers are just getting a little smarter."

    If hackers (crackers?) are getting smarter, and the security industry isn't catching up with them, then I'd say it's definitely the industry's fault.

    --
    Guy asked me for a quarter for a cup of coffee. So I bit him.
  2. Re:McAfee and Symantec are out there to make money by Raul654 · · Score: 4, Insightful

    I'm reminded of the Chris Rock sketch where he talks about doctors finding cures for diseases. He asks when was the last time you heard about doctors finding a cure for a disease. It's been a long time. Why? Because there isn't any money in the cure.

    --


    To make laws that man cannot, and will not obey, serves to bring all law into contempt.
    --E.C. Stanton
  3. Just moves the goalposts of 'Trust' by Anonymous Coward · · Score: 4, Insightful

    Instead of fixing the underlying problem most 'security software' (at least at the desktop users end of things) is a patch which restricts, inhibits or breaks some 'weak' feature of the code beneath it. Adding further layers of complexity only increases the chances of creating further holes with the added danger that users feel protected and hence don't pay attention to simple day to day good security practices.

    As time goes by I am becoming fascinated by the whole 'security software industry'. It doesn't take a leap of tin foil hat conspiracy theory to get to wonder whether large companies with a vested interest in there being malware in the environment, and who admittedly employ virus writers, might not be playing with an entirely straight bat when it comes to ethics. I wonder if someday soon we will see 'proof' of this in some form when it becomes apparent that a 'security' company had apriori knowledge (ie they wrote it) of a nasty virus which then went on to cause a lot of damage out there. Holes in their software comes as no suprise. In fact when you use a security product you are handing over huge amounts of trust to the writers. Do I trust Symantec et al. No way, for one I haven't seen their source.

    1. Re:Just moves the goalposts of 'Trust' by slavemowgli · · Score: 4, Insightful

      Here's some food for thought with regard to anti-virus companies possibly being responsible for (some) viri.

      If you look at the computer viri there were in the last 20 or 25 years, there's of course many trends, but one in particular stands out: there has been a huge shift from destructive to non-destructive viri. Remember things like Michelangelo, Stoned and so on? Many of these were actually doing damage - they'd delete your harddisk on certain dates, or overwrite files on access, or other such things.

      However, things have changed: these days, at least 99% of all viri, worms, trojans and other malware seem to be content to simply reproduce as much as possible instead of carrying an actually destructive payload. Some might be used to send spam, perform (distributed) DoS attacks and the like and thus cause economic damage, true; but the individual users' boxes are typically unaffected (except for slowdowns and similar things).

      Why did this happen? One might argue that the reason is simply that virus writers don't want to bite off the hand that distributes them anymore, or that dead zombies are useless for launching attacks against third parties. But it could also conceivably be an indication that it's different people who write viri these days, with different motivations, different limits, and different morals. And the idea that (some) anti-virus companies are secretly helping out with the creation of new malware doesn't seem so far-fetched anymore when you take into account that with a non-destructive worm, it's much easier to convince yourself that you're not doing *real* damage - especially if there's also the prospect of making money, which probably already has weakened your morals.

      --
      quidquid latine dictum sit altum videtur.
  4. Re:it wasn't supposed to be like this! by 64nDh1 · · Score: 5, Insightful
    In my experience Norton Antivirus ignores default browsers and uses Internet Explorer when you ask it to take you to the instructions for manual virus removal.

    Norton Antivirus, despite regular updates by LiveUpdate, does not give full scans in that it does not find certain very frikkin' major trojans on any Windows system. The Shinwow virus that still resides on my XP system is a case in point, as is the Java byte exploit which allowed another user on the system to accidentally have it put there by some scurrilous website,

    On Mac Norton Antivirus lost a lot of respect, and a lot of Mac users will just tell you that AV is for suckers anyway, but Norton pissed off people when their existing disk utilities (Speed Disk, Disk Doctor I think) which handled drive optimization was not Panther compatible. Certain people (those running the 10.2 Norton on Panther 10.3) lost complete functionality on their hard drives ("churning" is how I saw it described) requiring formatting with (AFAIK) no chance of file recovery. Same goes with using Norton 9 on Tiger - don't.

    When using Norton Antivirus year on year the 'upgrades' mean that your boot time, and logon times increase. See my first point that this does not mean that you are more protected as at least one older known trojan is still undetected by a full system scan.

    If you enable Program Launch Monitoring then Norton will tell you about absolutely every little thing that accesses the internet. This is a good thing, but from what I can see, they've taken out the damn option to "Don't show me this bullshit again, of course Firefox is going online!" and it keeps happening.

    Just earlier today, I let Norton integrate itself into my Dad's mail client, Outlook Express, then I got 5 warnings that NORTON was being called by another program, and accessing the internet. This isn't even the veil of a false sense of protection. I increasingly think this junk is being coded by morons. Compared to each other, EZ Armour, eTrust Antivirus whatever it's called runs a scan faster, finds more, and I trust it more. It's not any worse to boot speeds. And while 'the devil you know is better than the devil you don't' I'm looking to return to some sort of honeymoon period so that you don't feel cheated and abused for spending on a program which you need due to stupid security holes and ignorant malicious script kiddies.

    My antivirus experience is getting so bad, and so resource intensive, that I have taken to schooling every member of my family who use the computer and who will listen, and I am showing them how everything can be done as promptly on SuSE 9.1 Pro in KDE with Firefox and KMail. This switch is nothing to do with Windows frustrations which are relatively minor, this is just to do with lugubrious boot times and all those lost proc cycles.