Computer Security Still Totally Inadequate

Several news sources are running articles detailing the lack of computer security on all platforms. Symantec foretells a dark future for Firefox and Mac users describing their security as a "false paradise". Kernel developer and Red Hat fellow, Allan Cox stated in his recent interview with O'Reilly that "even the best systems today are totally inadequate". He goes on to say that "We are still in a world where an attack like the Slammer worm, combined with a PC BIOS eraser or disk locking tool, could wipe out half the PCs exposed to the Internet in a few hours," Cox said. "In a sense we are fortunate that most attackers want to control and use systems they attack rather than destroy them."

Symantec, eh?

[Musteval]

No agenda here. Move along.

Re:Symantec, eh?

[aklix]

No, this is M$... go ahead search for the slammer work, it only effects M$ products. Although they have an agenda, it's booked 6 months with slacking off. Way to go M$.

Re:Symantec, eh?

[ackthpt]

No agenda here. Move along.

No, they have one... they found it in some book, written by some guy named Agrajag. Works much better for them than it did for him. Funny that.

""Do not worry, Arthur Dent. Be afraid. Be VERY afraid.""

Re:Symantec, eh?

[Soul-Burn666]

Having the whole internet spammed with packets sent from infected machines, causing the network to slow to a crawl affects everyone.

That's the main problem with these viruses, they DON'T only affect microsoft products.

Re:Symantec, eh?

[Symphonix]

Agreed. Symantec waving their arms at all the Mac and Firefox and open-source anti-virus users and shouting "You're not safe! You're not safe!" is self-serving propoganda, not news.

Re:Symantec, eh?

[MasterB(G)ates]

oh there is an agenda alright!

http://img375.imageshack.us/my.php?image=hoff1os.j pg

Re:Symantec, eh?

[Michalson]

I think you spelled that wrong. It's spelt Slapper, or Lion, or Santy, or Adore, or...

Java.

If everyone programmed everything in Java things wouldn't be this way.

Re:Java.

[DaHat]

Quite true! If everything was programmed in Java, viruses would move so slow that they would never have a chance to infect a significant # of machines as well as those they attempt to infect would take forever to execute it's evil payload.

Re:Java.

[sqlrob]

Is that so? Here's a two'fer

CVE-ID: CAN-2005-2529

Available for: Java 1.4.2

Impact: Malicious system users can gain elevated privileges.

Description: This is specific to the implementation of Java on Mac OS X. The utility used to update Java shared archives is susceptible to a privilege escalation vulnerability from local system users. This update addresses the issue by performing additional clean-up before launching the utility on behalf of unprivileged users. This issue does not affect systems prior to Mac OS X v10.4. Credit to Dino Dai Zovi for reporting this issue.

Re:Java.

[jellomizer]

Of course most potential virus writers will be sick of programming java at the end of the day of work/school that they will not even think about using java until the next day.

Re:Java.

[unother]

Has anyone stopped to consider that the way Java spreads, and the effects on systems it has, it, too, could be thought to be a virus?

Re:Java.

[CDMA_Demo]

Stating the obvious, sometimes you get a feeling of security by keeping a low profile. If something is popular it naturally attracts saboteurs, and therefore has a better chance of being exploited, thereby ruining its reputation. Some might brand less popular OSes as insecure as Windows -- we just don't hear of as many incidents related to breaches.

Re:Java.

[MikeFM]

I thought that was Windows.

Re:Java.

[andy_shepard]

Saying that Java is nice because it works on all OS's is like saying that anal sex is nice because it works on all genders

In other news, fans of anal sex everywhere protest the comparison to Java.

Re:Java.

[FLAGGR]

Why, because write once run everywhere is a hoax? Or because Java is slow, and you could probably manually pick the electrons on the harddrive that housed the virus off before it could execute?

Re:Java.

[QuaZar666]

Already been fixed with Java 1.4.2 release last week. In fact I remember getting that update.

Now I am not saying that Viruses can not exist for mac, but at the same time it would not be easy for it to gain access to the entire system, since the only user that can modify the entire system is disabled by default (root). For years people have been saying "just wait, their will be a virus that affects Macs". Well I am still waiting for it. Sure you could tell people to download someone from a web page that then runs on the system, but thats not a virus. You could also use bonjour to send a file to everyone else on the network, but you would then need to find a way for it to get onto the network. Mail.app does not auto run scripts so you would have to tell a person to download a file (which would have to include a program to send emails via your SMTP server as defined in com.apple.mail.plist, since you can't tell mail to just send out an email, it would also need to include a feature to read your address book in order to send the emails via its own mail feature, and after doing all that you could send out a virus, but by the time you create a program that does all that you would probably be looking at a file at least 300K, and well the most you could really do is rewrite preferences so for example all jpeg images will now open with textedit, and then add itself to the startup group, but it could not add itself to launchd. To get rid of the virus the most you would really need to do is start the computer into safe boot remove the program from startup, and change the preferences it changed (or recreate the files that the "virus" deleted). Until that day comes I will still run my computer without virus protection.

Re:Java.

In other news, fans of anal sex everywhere protest the comparison to Java.

But I thought Macintosh and Linux users favored Java.

Re:Java.

[sqlrob]

Oh no, I'm not saying it wasn't resolved, I got that from gee, the documentation from when I downloaded the patch myself.

OS X is far safer, but it's not immune.

And don't underestimate user stupidity. MyDoom was one of the fastest spreading ever, and it required user intervention to start.

Re:Java.

[Deekin_Scalesinger]

Aw come on Mods - that was funny, cut the man some slack. Heck I'll even take a karma hit for the poor guy.

Re:Java.

[QuaZar666]

agreed, but at the same time, mail auto unzips files for you, and then if you try to open an application it brings up a box that says " 'program name' is an application, are you sure you want to open the application 'program name' ". haven't yet tested it will an applescript attachment, but then again it would be a little harder to have it replicate with the limited features of applescript.

Re:Java.

with the limited features of applescript

Yes, with such limited functionality as "do shell script", "run application", "write (file)", and "open url"...not to mention complete user-level control of most running apps (such as, say, Mail)...I really can't imagine how someone would pull off anything malicious.

Re:Java.

[-brazil-]

No, because Java does automatic array bounds checks, which makes normal buffer overflow vulnerabilities impossible - one of the most common kind if security flaw in C apps.

Re:Java.

Insult me if you feel you must, Ill just mod down your other messages.

Fag.

Re:Java.

[-brazil-]

Ha, ha, he poked fun at Java being slow. How well-informed and original...

Re:Java.

[mollymoo]

Has anyone stopped to consider that the way Java spreads, and the effects on systems it has, it, too, could be thought to be a virus?

It's either an endoparasite or an endosymbiont (depending on your religious convictions), but certainly not a virus.

Re:Java.

[OwnedByTwoCats]

Stating the obvious, sometimes you get a feeling of security by keeping a low profile. If something is popular it naturally attracts saboteurs, and therefore has a better chance of being exploited, thereby ruining its reputation. Some might brand less popular OSes as insecure as Windows -- we just don't hear of as many incidents related to breaches.

And that very same reason, low market share, is why there are so few exploits for IIS and so many more exploits for Apache.

Oh, wait a minute. Reality is the other way around.

Re:Java.

[Doctor+Faustus]

There's a joke in here somewhere about bisexuality being cross-platform...

Re:Java.

[QuaZar666]

limited in the terms of the ability to create a binary application, and well mail does not allow you to send an email without any user interaction. The most you could do would be create a new email with the attachment, and then wait for the user to click send.

To say nothing of the horrors of...

Duplicate stories.....

"Computer" security?

Don't they mean "Windows" security?

Re:"Computer" security?

[frinkacheese]

Hmm no. Remember the BIND vulnerability a few years back, that sucked. Back then, most people ran BIND as root in a non chrooted environment. Really, just about all computer security is pretty much useless against anybody with a little determination.

Re:"Computer" security?

[SFalcon]

Nevermind RTFA, did you even read the summary?

"Symantec foretells a dark future for Firefox and Mac users describing their security as a "false paradise"."

Re:"Computer" security?

[DA-MAN]

"Symantec foretells a dark future for Firefox and Mac users describing their security as a "false paradise"."

Oh shit! I must be doubly screwed because I use Firefox on my Mac!

OSX Virus

[Fahrvergnuugen]

I've been an OSX user for nearly 5 years. Still waiting...

Re:OSX Virus

[Gilesx]

I'll give you this link now, before you suffer a period of enforced downtime at the hands of the inevitable.

-> www.foresightlinux.com

Now - don't say I never do anything nice for anyone!

Re:OSX Virus

[qw(name)]

The primary problem with OS X is the indiscriminate use of the administrative password. Mac users are so used to typing in that password that if an installation ask for it the user automatically types it in. Instant root-kit installation. Now, let's see if Symantec, with all their ridiculous doom and gloom crap, detects it.

Re:OSX Virus

[dratox]

Probably the same thing the people in New Orleans were saying before Katrina...

The fact that it hasn't happened yet is no indication that it won't, and for all you know it could be any day now.

People knew about the danger New Orleans was in, and that it would be blatantly unprotected if a hurricane of great enough force were to hit. Had the people who had the power to do something stepped up and tried to remedy the situation (not passing judgement, just playing out a scenario) the disaster might not have been so terrible.

Re:OSX Virus

I've been a Windows user for close to 15 years now and I'm still waiting.

I've had friends get their OSX boxes infected becuase of their stupidity, so its not like its impossible to get infected, no matter what you use.

Re:OSX Virus

[SCVirus]

... for a hacker to have any interest whatsoever in root access to a macosx machine.

Re:OSX Virus

[Ubernurd]

How is this "informative", mods?

The article's point is that as "alternative" (read non-MS) OSs and browsers gain popularity, they will garner proportionately more attention from crackers. The "dream world" they speak of is the notion that certain products are more secure because there are less attacks launched against them.

Not that I agree with TFA, but the point it is trying to make is that because these products have fewer deployments they are a less juicy target for crackers (opportunists). That will change and then we can really see how secure those products are.

Personally, I think they will stand up much better than the article suggests, but we can't really have an accurate picture until the playing field levels a bit.

How long this person has been running a mac has nothing to do with it.

Re:OSX Virus

How is this different from "sudo rpm install ...", if you don't know for a fact that the package is safe to install?

Re:OSX Virus

[Metzli]

I'm not trying to shift the discussion from OS X, but it's not the only OS with that potential user issue. How often does a Linux user click on a program on their desktop that asks for a password? This is a user education issue, just like the "don't click on files that you weren't expecting" Windows problem. Unfortunately, it's darn-near impossible to protect the user from his/her own stupidity, regardless of the operating system they're on.

Re:OSX Virus

Infected with what?

There are no viruses out in the wild for OSX.

Come on, Mr. Anonymous Coward - if you have proof, then post it!

Re:OSX Virus

[Halfbaked+Plan]

On my NetBSD system, the only thing I click on in the menu that prompts for the root password is the 'root console' menu item that I put in

~/.fvwm/.fvwm2rc awhile back.

And I seldom, if ever use it.

Re:OSX Virus

[geekee]

" I've been an OSX user for nearly 5 years. Still waiting..."

With a 3% market share, there isn't much profit motive in exploiting OS X, so hope Apple keeps flying under the radar.

Re:OSX Virus

[Burz]

I really don't see what is wrong with the user 'indescriminately' typing the admin password for a program they want to install. Either they trust the app or they do not. No way around that.

Sure there are people who would type in their admin password for something like an applet on a web page...... There are also people who drive their cars into brick walls. I don't worry that the former could bring down the Internet, any more than I worry about the latter stopping highway traffic.

Re:OSX Virus

[VoidWraith]

Can we mod you -1, Hypocrite? You go and accuse him of making claims and being anonymous, and do exactly the same thing yourself. Personally I think your claim is less likely.

Re:OSX Virus

[Durandal64]

The burden of proof is on the person making the affirmative claim. The person claiming existence must provide evidence, not the other way around.

Re:OSX Virus

[saskboy]

New Orleans was a levee user for decades, but their false sense of security proved to be rather destructive, didn't it?

Just because it hasn't happened yet, doesn't mean it won't happen tomorrow. The article is right that a virus could easily wipe out half of the computers connected to the Internet, if it was professionally programmed, using multiple vectors and multiple payloads. It just wouldn't be profitable at this stage, but just wait until something like Circuit City who repairs computers gets into the computer destroying racket.

Re:OSX Virus

[Ragingguppy]

I've seen Mac virus's They do exist. They are rare. But they do exist.

Re:OSX Virus

[drsmithy]

Sure there are people who would type in their admin password for something like an applet on a web page...... There are also people who drive their cars into brick walls. I don't worry that the former could bring down the Internet, any more than I worry about the latter stopping highway traffic.

You should, because that's how most of that Windows malware gets installed.

It amazes me, after all the evidence to the contrary, that there are still people out there who think most users won't install and run any software that pretends to be even marginally interesting and that "but they have to type in an admin password" is actually seen as an effective security measure.

Re:OSX Virus

[drsmithy]

I've been an OSX user for nearly 5 years. Still waiting...

So am I, but I don't kid myself the lack of OS X viruses is because of something in the OS making them impossible (or even difficult) to create.

Re:OSX Virus

[at_slashdot]

"With a 3% market share, there isn't much profit motive in exploiting OS X, so hope Apple keeps flying under the radar."

On the other hand those people that use Macs seem to be rich.

Re:OSX Virus

[BrokenHalo]

The fact that it hasn't happened yet is no indication that it won't, and for all you know it could be any day now.

OK, agreed up to a point, but the default setup for OS X and other unix-like operating systems usually limits write permissions outside the user's home directory. This is a very basic aspect of security, commonly not implemented on Windows boxes, which pretty much limits the damage a virus should be able to do.

Re:OSX Virus

Wasnt opener around a couple of years back? Used admin priv to run? am i wrong?

Re:OSX Virus

[NickBilo]

Simpsons@mm is an AppleScript worm that targets the Macintosh platform. It may open Microsoft Outlook Express or Entourage, and send a copy of itself with the original message to everyone in your address book. The name of the script is "Simpsons Episodes." This worm does not appear to be particularly malicious, and is similar to other mass-mailing worms that affect Window's computers such as VBS.LoveLetter http://securityresponse.symantec.com/avcenter/venc /data/mac.simpsons@mm.html

Re:OSX Virus

[qw(name)]

It's basically the same thing. That's why it's important to know exactly what you are installing, where it came from, etc. Checking the checksum values are also an effective way of validating a program/distribution. It's not perfect but it's better than nothing at all.

Re:OSX Virus

My mistake a quick google reveals opener was a macosx rootkit. Still, no one is immune... Unless u turn off ur pc, put it in a safe, lock it, bury it in the desert 50 feet under.. and still it aint safe

Re:OSX Virus

[leonbev]

Out of the hundreds of millions of computer users out there, now many actually know how to check the checksum on a file? Now, out of THOSE few people, how many bother to checksums on all of those files before installing them?

Re:OSX Virus

[qw(name)]

Does it matter? The point is that there exists a method of performing checks on files to help ensure the validity of those files. Whether people use those techniques or not is beside the point.

It would be great if people would incorporate such technology into the installers. But until that day comes, people will continue to install software without validating it.

Re:OSX Virus

[arminw]

.....Mac users are so used to typing in that password that if an installation ask for it the user automatically types it in.....

That assumes the Mac user knows the admin password. In a business or school environment the password could be kept only by a few administrators and in a home the parents could keep it. Everybody else is just an ordinary user and the computer is therefore safe from any attack that needs adminsistrator access.

In Windows that is much harder and often impossible to do, because so much software for mostly stupid reasons will not run correctly if the user is not an adminsitrator.

Restricting users like this would go a long way to reducing the spread of malware. Only those clueless computer users that are running as as adminsitrators could be affected if they type in their password after they have downloaded something from the Internet.

Unlike Windows, there are NO known exploits that can come over the Internet that DON'T require some action on the part of a user. If the action involves an unknown admin password, then that stops the nast stuff right then and there.

Re:OSX Virus

[pammon]

OS 9 had some worms and viruses, like that one. As of yet, OS X is unaffected.

Re:OSX Virus

[dryeo]

Is rm -rf ~ that much better then rm -rf /
Operating Systems are a simple reinstall, home contains my stuff. Same with spyware running as me instead of root.

Re:OSX Virus

I've been using Windows since 3.1 still waiting for a virus to affect me that doesn't come in a 5 1/4 floppy.
What's your point?

Re:OSX Virus

[arminw]

....With a 3% market share,.....

That is such an old saw which sounds like a broken record. If I had the money, I'd offer $100K to the first person that can infect a standard OSX Mac over the Internet with a self-replicating, spreading malware without requiring user interaction such as entering a password. That also goes for turning such a Mac into a remotely controlled zombie. In business and schools as well as in many homes, the admin passwords could be kept away from most users.

There are uncountable Windows malwares that require nothing more than having the stock, running computer connected to the Internet. I know of no such thing for Macs. Surely there must be hackers out there who would love to be able to brag that they were the first to come up with a nasty worm/virus that hoses milions or at least thousands of unprotected Macs.

Anti virus companies, such as Symantec of course fear that if the Macs did get a huge market share, their business which depends on all the MS security lapes, would nosedive. This is why they are putting out increasing amounts of fear propaganda to try to dissuade folks from switching to Macs because they are much more secure.

Re:OSX Virus

[Randseed]

I've been a Linux user for something like 11. Still waiting too. ;)

The main problem with Windows and MacOS X both are users running as admin all the time. Linux has the same problem in many cases, but it's stuff running as root that has no business running as root.

A doctor brought his laptop in the other day to show me this cool imaging stuff he was doing with MRI data. Interesting and all that, but I couldn't help cringing when he goes to log into X11... as root.

Re:OSX Virus

You don't run as admin in OSX all the time. You do all the administrative tasks the sudo way..

Re:OSX Virus

[Lars+T.]

If someone can palm a manipulated programm off on you, he can also give you a false checksum to match.

Re:OSX Virus

[Lars+T.]

With a 0.00...% marketshare, users for Win64's first public beta had to wait how long for the first virus?

Re:OSX Virus

[Jeremi]

Is rm -rf ~ that much better then rm -rf /

Yes -- after an "rm -rf ~", you can still boot the machine, and you can still use any of the other user accounts on the machine. With an rm -rf, all you can do is re-install from CD.

Re:OSX Virus

[unapersson]

home also gives you a nice easy central location to backup. It's not just viruses that can destroy files, bad hardware can do it as well (i.e. failing disk), so you should be doing that anyway.

Re:OSX Virus

[nyckidd]

>and in a home the parents could keep it.

I thought the goal was to prevent the installation of malware...

Re:OSX Virus

[BrokenHalo]

Operating Systems are a simple reinstall, home contains my stuff. Same with spyware running as me instead of root.

Maybe a simple reinstall would be all _you_ need, but without a pretty strict backup regimen I would be stuck with a hell of a long job recompiling stuff. But if you're running spyware, you have nobody to blame but yourself: that's what ps ax | grep $USERNAME is for.

Re:OSX Virus

So am I, but I don't kid myself the lack of OS X viruses is because of something in the OS making them impossible (or even difficult) to create.

I disagree. The difference between windows and other operating systems is that windows has a default permit approach to security, where you are by default allowed to do everything, and must impose restrictions on yourself.

By contrast, OS X has a default restrict model, where you are by default a user with restricted abilities, and have to elevate your account by entering the administrator password to get more power.

In practice this means that an exploit in a mail program that allows executing attachments in windows is automatically a root-level exploit, while in OS X it is not.

Granted, there are still many ways of building a virus that takes advantage of exploits in OS X, there are just less ways than there are in windows.

Re:OSX Virus

[EvilMole]

The same, of course, is true of Windows. I've worked in companies where users aren't given Admin rights on their Windows machines, which effectively eliminates 90% of viruses because of them exploit user stupidity rather than holes in the OS.

Re:OSX Virus

[njyoder]

In Windows that is much harder and often impossible to do, because so much software for mostly stupid reasons will not run correctly if the user is not an adminsitrator.

What software run in a school/business environment needs to be run as an administrator? Stop spreading FUD.

Restricting users like this would go a long way to reducing the spread of malware

You can restrict users like that. They're called group policies.

Unlike Windows, there are NO known exploits that can come over the Internet that DON'T require some action on the part of a user.

False. Dude, do your damn research. I just looked over Apple's advisories for the first time and I quickly found a DHCP vuln that allows you full access to the file system just using the DHCP protocol. No user intervention required.

Re:OSX Virus

[njyoder]

By contrast, OS X has a default restrict model, where you are by default a user with restricted abilities, and have to elevate your account by entering the administrator password to get more power.

That's a pointless action, since users just end up entering in the administrator password willy nilly. What's the point in having it prompt you if you want to run a program when you're the one who double clicked it? That doesn't make much sense. Viruses work by infecting already trusted programs, so that's kind of pointless.

Also, is it really default deny? Does it, by defualt, prompt you for each new connection a program tries to make? I can't imagine that would go over well with your average user, they wouldn't know what to do and would just end up making it default accept.

In practice this means that an exploit in a mail program that allows executing attachments in windows is automatically a root-level exploit, while in OS X it is not.

Uhm no, not if the mail program is not running as the administrator.

Granted, there are still many ways of building a virus that takes advantage of exploits in OS X, there are just less ways than there are in windows.

In what ways does windows have more? List some.

Re:OSX Virus

[Anonymous+Brave+Guy]

I've been an OSX user for nearly 5 years. Still waiting...

You hope. A lot of users don't realise their system has been "pwn3d", particularly those naive enough to think that using Platform X or Application Y somehow makes them immune to attack.

This is the year 2005, and it's worth more to a botnet to use your compromised system discreetly. Sure, they could annoy you by making letters fall off your screen instead, but they'd alert you to their presence in the process, and that went out with amateur hour in the 1980s.

Do you run a virus checker and use a firewall?

Re:OSX Virus

[MrNemesis]

What software run in a school/business environment needs to be run as an administrator? Stop spreading FUD.

It's not FUD.

I work in a small OCR shop. We scan alot of legal documents and convert them to PDF using Adobe Capture (not my choice, I prefer OCRShopXTR).

Capture, both the OCR and scanning components, will either refuse to run or keep crashing if not run as an administrator. Same goes for Kodak's scanning software (which is, incidentally, some of the worst and most user-unfriednly software I have ever seen). Adobe Acrobat will not run properly as a user without r/w to Program Files.

There would probably be an even bigger list if I dodn't have to run nearly everyone as a power user anyway (there's Winamp too, but we don't use that at work).

And please note I don't blame MS for this. Everything since Win2K has a had a great system of ACL's and user privs, but the devs have been lazy and not bothered to follow the MS's recommendations and are still stuck in the 9x days (although some of MS'ssoftware suffers from the same problems), so because half of the software out there doesn't run in an unpriveliged environment, MS's are half-forced into making everyone an administrator.

Stupid I know, but to call the GP "FUD" is disingenuous.

Re:OSX Virus

[M-RES]

I'd say that how long he's been running a Mac has everything to do with it. If he'd been running them for 20 years (and totally virus-free) like some of us, then he'd have a different perspective on the issue.

Given that the Mac commands a good 15% of the market and Apple are no longer some obscure 'other' operating system, being continually in the public eye with the help of the iPod, why aren't we seeing a corresponding level of virus/worm/trojan activity on the platform? Surely there should be at least 5% of all viruses written being Mac-oriented!? But no, we're not seeing this at all... no doubt we will as more generic lusers buy into the Mac lifestyle (purchasing their Mac mini as an iPod accessory the way Apple would like them to)... they're not the brightest sparks at the best of times so they're easy to trick out of their credit details, but for the time being the Mac's NOT under attack despite the title of the article suggesting it is.

I've written to the author of the article to suggest he displays bar charts showing Mac/Windows virus release comparisons on a month by month basis for the past year to show the true picture, but I doubt this would be condusive to getting those pennies in from Symantec's advertising budget (I noticed the symantec banners all over the place around this 'article'... advertorial anyone?). They need to expand their business and with more and more people 'switching' (just generally away from 'Doze) it's slowly disappearing before their eyes!!!???

But apart from that.. I reckon you're bob on. :)

Re:OSX Virus

[Cro+Magnon]

And please note I don't blame MS for this. Everything since Win2K has a had a great system of ACL's and user privs, but the devs have been lazy and not bothered to follow the MS's recommendations and are still stuck in the 9x days (although some of MS'ssoftware suffers from the same problems), so because half of the software out there doesn't run in an unpriveliged environment, MS's are half-forced into making everyone an administrator

I blame MS for making the default user an administrator. Perhaps if the average user was NOT an admin, the developers would have made their crap work in a limited envirionment after getting calls from lusers that their software didn't work. Until MS makes their defaults safe and sane, they ARE to blame for Windows insecurity!

Re:OSX Virus

[Drooling+Iguana]

That's why you have the package-management system do it automatically.

Re:OSX Virus

[Drooling+Iguana]

There's a simple answer to that: Just don't make the procedures for installing software from locations other than the distribution maintainer's package repository user-friendly.

Re:OSX Virus

[petermgreen]

so if you bother to partition your usage into *MULTIPLE* user accounts (or your box has users other than yourself) limited privilages a good thing.

but saving a reinstall is not really that huge an advantage if all your data is gone which it will be if you just run a single user account (which afaict most users do).

Re:OSX Virus

[Titusdot+Groan]

In Windows that is much harder and often impossible to do, because so much software for mostly stupid reasons will not run correctly if the user is not an adminsitrator.

What software run in a school/business environment needs to be run as an administrator? Stop spreading FUD.

The only way you can even come close to calling this FUD is by rescoping the problem to school/business. Half the games my kids get for Christmas can't run without admin privs. It's why my kids have administrative accounts even though I'd originally set them up as unprivledged users.

Never had that problem when they were on the Mac ... too bad only the elementary school games run on Macs ...

Re:OSX Virus

[99BottlesOfBeerInMyF]

The primary problem with OS X is the indiscriminate use of the administrative password.

I agree with you for the most part. There are plenty of applications that actually need administrative privileges to install and the OS should provide more information about these applications and more finely grained security for managing them. The real problem, however, is programs that should have no need for administrative passwords, but that require them anyway. The Adobe Creative Suite, for example, requires an admin password to install. If not for the fact that I need it to do my job I would never enter my password to run an image editor and layout program. Combine that with the fact that some of the programs in the suite try to call home. The reason it asks for the password is so that it can install a CVS-like management server on your machine that always runs in the background with escalated privileges, sucks down huge amounts of RAM, and provides an easy avenue for privilege escalation attacks via a number of obvious vulnerabilities. Somehow vendors need to be made to pay attention to security or the OS needs to provide a sandbox for applications that can't be trusted.

On a related note, trojans could do a lot of damage on OS X right now because many users might download a random application that they think is a game and run it. They might (as you mentioned) even type in their admin password for it. I think what is needed is an easily user configurable set of ACLs for programs with some sensible and well thought out defaults.

The OS already warns the user when the download is an executable, so it is hard to hide one as a data file, but it would be useful to go one step further. By default most applications should not have access to a user's files (aside from those it creates), system files, or the internet. I think it is perfectly reasonable to download a game from some random web site, run it, and expect my OS to be able to keep it from starting a mail server, modifying my firewall, or copying my financial records. If it is an online game, fine, let the OS ask me if I want to allow it to access the internet, with an advanced configuration pane for what ports it can talk on and what servers it can talk to. If it is a graphics editor and it is used to modify my pictures, fine let me open pictures with it that I manually select, or if it wants to open all my pictures for me, or become the default application for opening a set of files, the OS can ask me.

This sort of system would quickly curtail most trojans as well as rein in software vendors like Adobe who can't be trusted to play nicely. It is probably not needed to deal with current threats on the OS X platform, but it may well be needed in the future and would be very, very useful for many people right now. And I think Apple is the right company to do it. The hard part about all of this is making the experience intuitive and user friendly enough. Requests for resources need to be explained in plain English with clearly defined consequences, ala "The application 'Monkey Madness 4' would like to connect to the internet in a way usually used to send e-mail. (Don't let it send e-mail) (Never let it send e-mail) (Let it send e-mail just this once) (Always let it send e-mail) (Advanced Options)."

That is the sort of control I am talking about, but with a lot more user testing to see what actually is easiest for users. Please Apple, implement this ASAP so that MS and all the Linux distros can copy it and make the internet a much better place.

Re:OSX Virus

[arminw]

......the developers would have made their crap work in a limited envirionment after getting calls from lusers .....

It is more likely that MS would get most of those calls.

User: I just installed your latest OS (service pack) and now programs (names a list) don't run.

MS rep: Those programs require administrator privileges. See your system administrator.

User: But it is MY computer and I am the only one that uses it!

MS rep: We have discontinued allowing users to administer their computers in order to increase security. You'll have to call the people who wrote the program. Sorry!

User hangs up angrily and, already in a bad mood wastes productive time to find and call up (named vendor).

Acrobe Systems: How maybe help you?

User: I just had called MS and they tell me it is your fault that my copy of your (names pgm) no longer runs after I upgraded to their latest secure OS.

Acrobe Systems: Oh but that is an old version of that program. You'll have to upgrade to version 9.9.9 for (names ridiculous price)

User angrily slams down the receiver calls back MS, pushes 10 buttons on phone menus, waits on hold for a half hour.

MS rep: How may I help you.

User: I just called Acrobe and they said that I have to buy an upgrade for (names price) just because I installed your new OS. How can I get my computer program to work again?

MS: That's not our problem. You'll have to take that up with the vendors of the software.

So the user shells out the cash he can't really afford and upgrades the program. Later it turns out he has to repeat this whole charade for half the programs on his computer, getting no work done that day.

Re:OSX Virus

[99BottlesOfBeerInMyF]

I don't kid myself the lack of OS X viruses is because of something in the OS making them impossible (or even difficult) to create.

Actually, I think it is pretty difficult to create an internet worm or virus that will infect OS X machines and propagate. Some of this is due to circumstance and some of it is due to a better design. Circumstantially OS X machines are still not common, so any worm or virus that wanted to quickly spread to them would have to be cross-platform or very intelligently targeted. Either is a hurdle for malware authors to overcome.

Secondly, the user base for OS X is composed of a lot of geeks and security guys, so a propagating worm is much more likely to run afoul of someone's well configured firewall, ACL, IDS, etc. and be identified quickly.

Architecturally, OS X does a good job of warning users, by default, when a downloaded file is executable, thus partially mitigating that avenue of attack. Root users are an extreme rarity, local privilege escalation is non trivial, and the system does a fair job of restricting access to vital functions via the admin password. Many users will just enter it anyway (if they admin their own machine) but not all of them and it is enough to make many users suspicious (possibly helping to identify a virus early).

Also vectors for spreading a worm are pretty hard to come by. On windows worms go after known or unknown vulnerabilities, usually in exposed system services like RPC. OS X has no exposed system services by default on any version of the OS. Windows has firewalled them recently with XP SP 2, but still has them exposed behind that firewall and wide open on other versions of windows. Outlook and IE are common vectors for viruses via web pages and e-mail, as well as P2P protocols and IM. Both outlook and IE are very poorly designed with security a tertiary concern. Outlook automatically runs all sorts of executable files due to its buggy implementation and automatically fetches remote files from the internet without user intervention, by default. IE has been pounded on again and again and most of the obvious bugs have been shaken out, but it remains a good target because it runs with escalated privileges far beyond what a web browser needs. It also incorporates Active X by default which is basically a way to run arbitrary code without a sandbox on your system, inherently trusting remote web sites. That is some pretty piss poor security. All of this has has added security measures bolted on, but the fundamental problems are still there.

Contrast this with Safari and Mail.app and you'll see programs that, while not perfect, at least don't make huge, fundamental security mistakes in their basic architecture. I'm sure eventually someone will get a worm to propagate via a hole in unpatched versions of Safari or Mail.app, but I am also skeptical that it will go very far or have much effect. Patching is another important concern. So far OS X has a good track record for timely security fixes and has a well thought out mechanism for software updates. Everyone I know updates their OS X boxes regularly, because the OS asks them to, while only some Windows users do the same.

Basically, worms and viruses can propagate on OS X, but the deck is well stacked against them. It is not an easy target or a particularly profitable target. Either of those things might change in the future, but as things stand it does not look like OS X will ever suffer from the same level of problems with regard to worms and viruses that Windows currently does. OS X does make it difficult to create a successful virus or worm.

Re:OSX Virus

I've been an OSX user for nearly 5 years. Still waiting...

Hmm... It's very snappy for me. Perhaps you should try upgrading to a faster system?

Re:OSX Virus

[Cro+Magnon]

Anyway you do it, there will be some pain. The more likely scenario is that MS tech support, or some geek friend, will show the victim how to make his account an admin. That person will still be running an insecure system, but when he eventually upgrades to a newer computer, it will give him a limited account, and if Acrobe hasn't fixed their crappy software by then, they'll get more angry calls. Or at the very least, the victim will have to make a choice to run admin, instead of it being the default.

Re:OSX Virus

[arminw]

....a DHCP vuln that allows you full access to the file system just using the DHCP protocol.....

I said over the Internet! What you are talking about only works on a local network or from a malicious ISP if the user has no firewall. Some hacker in China cannot use that on my Mac.

Re:OSX Virus

[arminw]

...... too bad only the elementary school games run on Macs ......

Actually, there are a number of fun games our teen-ager runs on his Mac. His current favorite is called Battlefield 1942. The Myst series is quite entertaining for those who don't like shoot-em-ups.

For avid gamers though a console is a far better and cheaper choice.

Re:OSX Virus

[Gumph]

I've been a Windows user for close to 15 years now and I'm still waiting.
What for? it to boot!!

no, no, your too generous really, try the beef it's great.

Re:OSX Virus

[japhmi]

The primary problem with OS X is the indiscriminate use of the administrative password. Mac users are so used to typing in that password that if an installation ask for it the user automatically types it in. Instant root-kit installation.

Not root-kit, but admin-kit. The admin user can't modify root-owned files.

Every OSX machine I ever supported had the root user enabled, root user password changed, then disabled again.

Re:OSX Virus

[qw(name)]

Those are good points. I understand the need for admin authentication when installing some types of software. But the problem is that people have been desensitized to the reason why they need to enter the admin password. Education is needed.

I am a big supporter of Little Snitch. It let's me know when ever a program tries call home or anywhere else. Most programs try to call home to check version numbers and such. Little Snitch lets me see where they are going, so I can investigate the address, and provides me with a way to allow it once, until the program stops, or forever. I can even deny the same way. If I want the program to see if a newer version is available it should be configurable in the Preferences. Nothing should call out without express permission and including the statement in the EULA does not count. GAIN comes to mind...

Re:OSX Virus

[njyoder]

Ok, how about sendmail vulnerabilities? What about fetchmail ones? Does checking email (which users does regularly) not count? What about the Quicktime url bug which works just by inserting a malformed url? There are many vulnerbilities that can be exploited.

And please don't backpedal and say you meant literally no user intervention at all (as opposed to user intervention beyond normal activity like browsing websites), since even 99% windows worms/viruses aren't spread without the user at least checking e-mail or doing SOMETHING other than just keeping their computer running.

Re:OSX Virus

[njyoder]

The only way you can even come close to calling this FUD is by rescoping the problem to school/business.

Uh, don't blame me because you're illiterate. The original scope, as created by the person I was responding to, was school/business settings. He was specifically referring to locking down computers in those settings by not allowing regular users admin access.

Half the games my kids get for Christmas can't run without admin privs.

Again, if you had read the comment I was responding to, you wouldn't bother saying this. For home users admin passwords are pointless, since your average home users are just going to blindly type it in and click through.

That was the whole point and the person I was responding to was trying to counter tha tpoint by saying that the admin password was still useful in a business/school settting, which obviously you're not playing games in.

Re:OSX Virus

[njyoder]

As to be expected, another zealot replies to me without reading what I was replying to. Let me quote the person I was responding to: "because so much software for mostly stupid reasons will not run correctly if the user is not an adminsitrator."

Notice the "so much software" part. You, so far, have given an entirety of one (1) example (counting the scanning/OCR bundle as one). That hardly qualifies as 'so much software' and hardly makes Windows sooooooo much more insecure.

And uh, you don't need admin privileges to run Winamp nor Acrobat, as neither of them MANDATE their own updates. If you think you do, then you're configuring something very wrong.

Re:OSX Virus

[MrNemesis]

A zealot? Wow, never had that one before. Exactly what sort of zealot am I?

Yes, I only quoted the examples of my own expereince with my own company, which is hardly a big one with a staff of six people. So I guess my statement of "there's software we need to use to do our daily business that will only work with admin or power user privs" was entirely worthless then, as I and the OP are clearly the only people in the whole world who have this problem. You asked a question, and I gave you some examples. Easy enough to understand?

I see exactly the same thing with any number of law companies that have some shitty custom-made DB frontend or some special proofing software - they just won't run without r/w to program files. But as the Adobe and Kodak example shows, it's clearly not just restricted to the small coding houses - this is software aimed solely at businesses. Some of it you can get around with the "Run As..." feature, but this isn't a viable option when the software needs access to the domain - which of course, the sudo'd user the software is running as isn't privy to.

And note I didn't say I needed admin privs to run Winamp or Acrobat. I said they need access to write to program files to work properly. For example, I can't use the Acrobat Catalogue function if I can't write to program files - it opens, but refuses to do anything.

It's a problem that needs to be tackled by both MS and the developers, and people like you bitching that it's down to our own incompetence isn't going to solve anything.

Re:OSX Virus

[arminw]

....Ok, how about sendmail vulnerabilities? What about fetchmail ones? Does checking email (which users does regularly) not count? What about the Quicktime url bug which works just by inserting a malformed url?.....

Getting unknown software to EXCECUTE and messing up a Mac is not easy, especially if the user is not logged as an admin. Even then, a user is warned that file xxx contains a program that wants to run for the first time and that it could be evil. If the user is an admin ad gives the password in spite of all that, then they have coming whatever happens. The problem in Windows is that the user is told NOTHING and the program executes and installs remote control back doors and who knows what. I do not know of ONE Mac that has EVER been made into a spam spewing zombie by some lind of network introduced malware. If it CAN be done ot must ber VERY hard, since no one has done it yet.

Re:OSX Virus

[njyoder]

Even then, a user is warned that file xxx contains a program that wants to run for the first time and that it could be evil.

No warning is given for the examples I gave.

The problem in Windows is that the user is told NOTHING and the program executes and installs remote control back doors and who knows what.

And what difference does that make? If a user downloads a program, they're going to want to run it, so an admin password won't matter. If you're talking about executable attachments in e-mail, that's an issue for the e-mail software, not the OS and even OE has now disabled that by default.

If it CAN be done ot must ber VERY hard, since no one has done it yet.

No, your logic is warped. You've created a false dichotomy, that either it must either be a) be very hard or b) be compromised by now. You're ignoring the possibility that there just isn't much interest by the trojan/hacker community due to things such as LACK OF POPULARITY. I have yet to see a single MS-DOS worm, despite the fact that networking software exists for MS-DOS, does that mean it's secure?

I already gave examples of vulnerabilities that don't require any special intervention the part of the user. You can find even more by looking through vunnlerability lists. Hell, with the libpng vulnerability, you just needed to get someone to view a png image (on a website or in an e-mail or wherever) and BAM, they're compromised, no dialogs, no warnings.

It IS A MATTER OF UNCONTESTABLE FACT that vulnerabilities exist which can be exploited to spread without any kind of special dialogs to click through on the part of the user. It's just that no one has bothered to write a trojan/backdoor that exploits those vulnerabilities yet, due to lack of interest. It's security through obscurity.

Re:OSX Virus

[njyoder]

I asked a question in a specific context, and it's important you understand that context. The person I was responding to had asserted that such software is very common, and as such, in that context, was asking for more than just a small number of examples of software for limited uses.

And you're still wrong about Winamp and Acrobat. Worst case scenario, if you use the features that require write access (which are optional), you only have to allow access to specific files/directories, not all of program files. The windows file system security is fine grained, there's never a need to make all of program files writable.

Re:OSX Virus

[arminw]

.....If you're talking about executable attachments in e-mail, that's an issue for the e-mail software,.....

You cannot attach an executeable file to an e-mail and expect it to run on a Mac upon opening the attachment or download from the web. That only works in Windows. On a Mac you have to put the various components of a program into a zip or dmg file which then can be unzipped into an application package. If an attempt is made to install the unzipped program folder, an admin password must be entered. In a business, school or many other environments the user would not know that. Even if the user wants to run the program in his/her own user space, the user is warned that the program may be malicious before it is run. In short, OSX puts a number of obstacles which a determined user must get around before malware can run.

Also, unlike Windows, where malware can hide almost anywhere on a HD, nasty files can only go into a few places where they can easily be found and trashed. A determined non admin user can, with effort get a malware to run, but that will then only affect that users space but not the system and other users.

In windows there is a useless thing called the registry, which any malware can mess up and it requires an extremely knowledgeable person to repair a screwed up registry. If the registry is messed up enough, the computer won't even boot. There is no such single point of failure and attack in OSX unless the user has root access. There are root kits for OSX, but they cannot be installed by any standard user or a program he/she may run. The sad fact is that in Windows, any program can be installed and run without warning to the user because most users MUST run as administrator because Windows developers don't seem to heed MS guidelines and almost every user I know has at least one program that will not run unless the user has full root equivalent admin rights. When I was a system admin for our local school district, I was stymied again and again by the fact that a large number of Windows programs would not work correctly if I set up the users with limited rights. I sincerely hope that in VISTA MS finally forces developers to write code that does NOT require root access in order to function correctly. That ONE change will make Windows a much more secure system. Windows, since NT has very good user rights management, but that did not much good because everyone runs as root. For once I hope MS chooses security over compatibility with old programs that require users to run as root.

There is a huge difference between a theoretical vulnerability and the practical every day exploits. Popularity has nothing to do with that. If that were the case, the Apache web server should be exploited more than the MS IIS equivalent. Popularity has nothing to do with security. It is an UNCONTESTABLE FACT that out of the box, OSX is much more secure than any flavor of Windows. Any security professional, even avid MS advocates will admit that if they are truthful. However, Windows CAN be made quite secure if the user can still be productive with limited system access rights and is set up properly by a knowledgable person.

Re:OSX Virus

[drsmithy]

Root users are an extreme rarity, [...]

This point gets overplayed a *lot*. There's very little that malware needs (or wants) to do that requires root privileges.

[...] local privilege escalation is non trivial, [...]

I would propose the local privilege escalation is trivial - just pop up one of those graphical sudo prompts (or a good impersonation thereof) and you've got it.

[...] and the system does a fair job of restricting access to vital functions via the admin password.

Like what ? What "vital functions" - from a malware perspective - do you think are protected by the "admin password".

Many users will just enter it anyway (if they admin their own machine) but not all of them and it is enough to make many users suspicious (possibly helping to identify a virus early).

Many people are suspicious (or smart) enough to avoid malware on Windows, as well - but they're certainly nothing like a majority.

Outlook automatically runs all sorts of executable files due to its buggy implementation and automatically fetches remote files from the internet without user intervention, by default.

This is not correct. Outlook has never automatically executed attachments by default.

IE has been pounded on again and again and most of the obvious bugs have been shaken out, but it remains a good target because it runs with escalated privileges far beyond what a web browser needs.

IE runs at the same privilege level as the user (ie: the same "privileges" as any other app, or web browsers on other platforms). Certainly, typically, this is an Administrator - but that's not an *IE* flaw, it's a poor (albeit understandable) choice for the default configuration. IE does not have any "special" privileges, permissions or access - it's just another app.

Contrast this with Safari and Mail.app and you'll see programs that, while not perfect, at least don't make huge, fundamental security mistakes in their basic architecture.

The architecture of Safari (+WebCore) is basically identical to IE. Safari has also had a couple of big-ish flaws from an architectural perspective as well, IIRC.

OS X does make it difficult to create a successful virus or worm.

Not really. The biggest technical obstacle is a lack of listening network servces by default - and that only protects again remotely propogating worms (interestingly, OS X ships with the firewall *off*). There's very little to stand in the way of user-installed malware, the type typically found on Windows machines.

Re:OSX Virus

[drsmithy]

There's a simple answer to that: Just don't make the procedures for installing software from locations other than the distribution maintainer's package repository user-friendly.

Microsoft do not have this luxury.

Re:OSX Virus

[99BottlesOfBeerInMyF]

There's very little that malware needs (or wants) to do that requires root privileges.

You mean like enable a network service or open a port in the firewall? There is not much malware that needs root (or sudo) access on Windows, but that is just because everyone is running as an administrator (which is a major problem right there) and because Admin on windows does not ask for the admin password to perform many operation that it probably should.

What "vital functions" - from a malware perspective

See above.

Many people are suspicious (or smart) enough to avoid malware on Windows, as well

OK, I'll use really small words for you. Windows: users are not prompted for a password. OS X: Users are prompted for a password. I think it is clear that malware is more likely to arouse a user's suspicion if they are running OS X, since it alerts them.

Outlook has never automatically executed attachments by default.

Please re-read my comments. Outlook has at many times in the past automatically executed scripts attached to mail delivered to it either immediately, when the mail is previewed, or when the mail is opened. The last time I bothered to look, it still executed scripts and executables when they were double clicked without providing a warning that they were executable, not data. All of the above is a security nightmare which is why pretty much every security conscious company with a clue has banned outlook as an e-mail client.

IE runs at the same privilege level as the user...

We've seen plenty of exploits via the web that grant full access to the system via Explorer and plenty of cases where using IE one user can gain access to another's files, or to protected system files. Running with the same privileges as the local user this should not be possible. Not that it makes a big difference since there are so many known, outstanding local privilege escalations on Windows that gaining more privileges from a normal user account is not exactly hard.

The architecture of Safari (+WebCore) is basically identical to IE. Safari has also had a couple of big-ish flaws from an architectural perspective as well, IIRC.

Safari+Webcore does not implement Active X or anything like it. As a result it will never be as poorly architected as IE. While there are flaws in the design of Safari and Webcore I don't know of any actual architectural decisions that are on par with the mess that is IE. Would you care to elaborate upon the point?

The biggest technical obstacle is a lack of listening network servces by default - and that only protects again remotely propogating worms (interestingly, OS X ships with the firewall *off*). There's very little to stand in the way of user-installed malware, the type typically found on Windows machines.

And yet, there aren't any. It has been years and everyone keeps saying it is not really hard to make a OS X worm, but it just hasn't happened. Maybe because it is harder than you think? As for "user-installed malware" that does not make up the majority or infected machines, nor network traffic for malware. Self-propagating worms make up the majority of infections, although not necessarily the majority of infections known to the user.

Sure a trojan can be sent out that poses as a harmless program or data, but the user will be warned that it is an executable, so all those trojans that pose as data will have a significant number of alerted security people and users who decide not to run it because they are unsure. A trojan posing as an executable has a harder time since it can't be easily passed of as porn or other "desirable" data. Combine that with limited privileges, a community of security experts, easy updates/patches that users actually install, and users that don't run as admin all the time and you have a system much more resistant to common malware than Windows. It is not immune by any means, but to claim it is no better than Windows is also misguided.

Re:OSX Virus

[njyoder]

You cannot attach an executeable file to an e-mail and expect it to run on a Mac upon opening the attachment or download from the web.

UNLESS THERE IS A VULNERABILITY, WHICH IS THE WHOLE DAMN POINT. Christ you're dense. You're basically saying "as long as soft package X is totally secure and operates 100% as expected, it will not run malicious code."

How do you think the most prolific e-mail attached viruses/worms spread on Windows? They spread by exploiting vulnerabilities in the e-mail software. Macs aren't magically immune to that.

On a Mac you have to put the various components of a program into a zip or dmg file which then can be unzipped into an application package.

Hello? Ever heard of a buffer overflow exploit? It immediately bypasses all of those restrictions, as it runs with the privileges and trust levels of the e-mail program.

Not just that, but the default settings for OE (the default windows e-mail client) now forbid users from running attachments directly from e-mail AND group policies on Windows allow administrators to forbid users from saving attachments completely (regardless of file type) if they like.

nasty files can only go into a few places where they can easily be found and trashed.

You obviously have practically no understanding of how viruses work. Viruses INFECT trusted executable files. They can 'piggyback' on legitimate programs, that means they can sit anywhere they want.

A determined non admin user can, with effort get a malware to run, but that will then only affect that users space but not the system and other users.

You do realize that in a business setting that Windows can be configured to restrict users in the SAME WAY, right? Windows has had ACLs (fine-grained file system controls) and fine grained security policies much longer than Mac OS has ever had. It's all up to the admin to configure it how they wish.

In windows there is a useless thing called the registry, which any malware can mess up and it requires an extremely knowledgeable person to repair a screwed up registry.

Wrong, wrong, WRONG. If you're going the "business setting" route, then you must acknowledge that Windows also has ACLs attached to the registry, meaning that the user is restricted to only the specific part of the registry that contains their personal settings. They can't clobber the registry settings of anything else.

There is no such single point of failure and attack in OSX unless the user has root access.

Hello? 99% of home users have root access and use it without a second thought, have you been paying attention? Your average users inclination, when prompted to do something, is to click 'yes' and type in whatever is needed, password protection for home users is pointless.

Not just that, but you don't need root access to spread a worm/virus and cause havoc. Regular users have full internet access, which is all that's needed to spread.

There are root kits for OSX, but they cannot be installed by any standard user or a program he/she may run.

Uh, the same applies to regular user accounts in Windows. Have you actually done anything with Windows administration? You obviously know very little about Windows security.

most users MUST run as administrator because Windows developers don't seem to heed MS guidelines and almost every user I know has at least one program that will not run unless the user has full root equivalent admin rights.

This has already been covered. Most software does not require administrator privileges and you can lock down the rest. For most home users, it's mostly games that require administrator privileges and you can easily switch users for that, it's not hard to maintain seperate accounts for that purpose.

When I was a system admin for our local school district, I was stymied again and again by the fact that a large number of Windows programs would not work correctly if I set up the

Re:OSX Virus

[arminw]

.....A very obvious principle of security is that the less popular something is, the less interest there is in exploiting it......

Well OK if that is true, I hope the Mac never becomes too popular, say never above 10% so I and all other Mac users can ignore the all the worms and viruses that plague Windows users and enjoy our security through obscurity. I also hope that MS fixes some of the security problems with VISTA and that finally Windows users too, will enjoy the blessed rest we Mac and Linux users have from malware. I have some Windows computers also and those have to be carefully set up and monitored and for some purposes these work better than the Macs.

If the thieves don't know that I have the Hope Diamond in my closet, they won't try to break in and steal it. So maybe there is a good case for security through obscurity.

Re:OSX Virus

[drsmithy]

You mean like enable a network service or open a port in the firewall?

You mean the firewall that isn't turned on by default ?

A user process is quite capable of starting a daemon and making sure that daemon is restarted whenever the user logs in. Since most machines are single user, that's functionally the same as making it part of a system-level startup procedure.

Added to that, Admin users can write to /Applications, so malicious code run by an Admin would be able to infect everything in /Applications, making it very likely every user on the machine would eventually have their accounts infected.

There is not much malware that needs root (or sudo) access on Windows, but that is just because everyone is running as an administrator [...]

Actually it needs 'root' for just the same things on Windows as it does on OS X - not much.

[...] Admin on windows does not ask for the admin password to perform many operation that it probably should.

No, it should not. Administrator on Windows and Admin on OS X are completely different things. Administrator on Windows is somewhat similar to root on OS X (but still fundamentally different). The closest Windows analogy to an OS X 'Admin' would be a 'Power User'.

See above.

OS X's firewall isn't on by default, so malware would assume that it wasn't on at all. That said, since the firewall is software controlled, any malware could certainly turn it off, possibly requiring the user to enter an Admin password (which, with only a tiny amount of social engineering, most will happily do). Starting up a daemon to listen on the network is trivial. Configuring a program to start whenever a user logs in is also trivial. Scanning through a user's documents for email addresses and mass-mailing malware to them all is trivial. Deleting or modifying the user's data is trivial. Allowing a remote shell to allow an attacker an interactive login is trivial.

As I said, there's not a lot malware might want to do that it needs root access to do.

OK, I'll use really small words for you. Windows: users are not prompted for a password. OS X: Users are prompted for a password. I think it is clear that malware is more likely to arouse a user's suspicion if they are running OS X, since it alerts them.

OS X users are /frequently/ prompted for an admin password - most type it without even thinking, let alone verifying what has asked. Social engineering in such an environment is simple.

This is assuming they even *need* an Admin password - there's not much malware might want to do that requires anything more than a bog-standard user account (mainly fancy stuff like installing keyboard sniffers, or overwriting low-level system binaries and libraries).

Please re-read my comments. Outlook has at many times in the past automatically executed scripts attached to mail delivered to it either immediately, when the mail is previewed, or when the mail is opened.

But never by design, as you claimed - and such bugs have tended to be fixed fairly quickly.

The last time I bothered to look, it still executed scripts and executables when they were double clicked without providing a warning that they were executable, not data.

Every version of Outlook has - by default - raised a dialog before executing attachments. Over the years this has gone from a generic "Open or save" to "It's a really bad idea to run attachments you receive as email, you shouldn't do this" (with a default selection of 'Save', not 'Open'). to "I won't let you execute certain types of attachments at all".

Outlook has never exhibited the behaviour you describe, by design, by default.

All of the above is a security nightmare which is why pretty much every security conscious company with a clue has banned outlook as an e-mail client.

Which explains why Outlook is one of the cornerstones of the average busine

Re:OSX Virus

[99BottlesOfBeerInMyF]

You mean the firewall that isn't turned on by default ?

Yup, just like the system services that are not enabled by default. Not really much to firewall is there.

A user process is quite capable of starting a daemon...

Provided you can get a user to run it.

OS X users are /frequently/ prompted for an admin password - most type it without even thinking, let alone verifying what has asked. Social engineering in such an environment is simple.

I think you are confusing yourself with a typical user. I'm rarely asked for my admin password, especially to run/install a program and I'm always suspicious of programs that do want such access. You trivialize the social engineering required, but I have yet to see it accomplished on a wide scale.

But never by design, as you claimed

I said "due to the buggy design."

Which explains why Outlook is one of the cornerstones of the average businesses e-mail, collaboration and messaging platform.

True, most business do not care about security and/or do not hire competent security people. The huge amount of exposed customer data over the last few years shows that. When things do go bad, the focus is usually on PR and finding a scapegoat rather than fixing the problem. The number of banks and financial institutions that undergo security assessments by law and then completely disregard all the security recommendations is staggering. The 40 billion dollars banks lost to credit card fraud (and thus the more interest they charge) is pretty solid proof of entire industries that care a lot more about sales, then reducing lost money or data by having better security.

Outlook has never exhibited the behaviour you describe, by design, by default.

It did, and some versions do exhibit the behavior I describe, and that is the result of poor priorities and design choices. Just because no one sat down and said, well lets make it run scripts attached to anything the user previews" does not mean that that behavior is not the result of their design combined with circumstances they did not consider.

Do you have a list of these unpatched vulnerabilities ?

I don't know that anyone has compiled such a list. Entering "windows local privilege escalation" into google will give you about a quarter of a million results. The first result is the source code and instructions for an unpatched local privilege escalation exploit.

ActiveX is something that can be disabled.

We are talking about default and/or common configurations. Most users won't disable ActiveX or even know what it is. Within a few years a sizable number of Windows machines will ship with it disabled by default, but how long will it take for it to be a majority and how many users will have to enable it to use some service or another?

I've no doubt I could bang up something that, when run, installed itself into a user's startup items, fire up a network daemon to allow interactive remote logins and send off a few emails with the system's vital stats in a matter of hours.

That is not the problem, the problem is, can you get that executable installed on a significant number of machines either through automatic propagation, clever social engineering, or some other method?

We'll just have to agree to disagree on this one. I think that having real, usable non-admin accounts, better informative dialogues, much better defaults for services and permissions, not using outlook and IE by default, not implementing Active X at all, and dozens of other design choices make OS X more resistant to malware. Results from the field seem to agree with me, with no known malware spreading on Mac computers. You try to explain this away as the result of circumstance, and to some degree you are correct, but that does not mean it is all circumstance. I can't even conceive of how you can think a relatively securely designed OS like OS X could ever be as e

Comment removed

[account_deleted]

Comment removed based on user account deletion

Symantec Security Software

[orangeguru]

With security suites like that you don't need any hackers or viruses. Bloated Symantic software makes your computer unusable and unstable anyway ...

Re:Symantec Security Software

[MikeFM]

I hate that. I've fixed more people's computers by simply removing these crappy security suites than I ever have needed to fix viruses and hacks. A firewall, reasonable use restrictions (not installing Chinese software cracks), not using IE/Outlook, and running an occasional anti-virus anti-spyware scan are plenty.

If you need more then switch to Linux.

Re:Symantec Security Software

[gordo3000]

I use Norton AV and it works fine, I never have a real slowdown. I just have the settings so that it doesn't try to scan every single file that comes in(I quake in fear as to how long it would have taken to scan through all of OO.org 1.9 release).

I just run the AV scan once a week while I sleep at night and check the log in the morning. Oh, and keeping the computer up to date helps.

so what is the slow down you are talking about? maybe when you instal all like 19 of the programs symantec offers?

Re:Symantec Security Software

[widderslainte]

He's talking about Symantec Antivirus 10.X. Nice suck-up for ~ 25MB of RAM for the real-time scan.

Re:Symantec Security Software

[robogun]

just have the settings so that it doesn't try to scan every single file that comes in

So in other words you turn it off. That's one way to speed up things.

Re:Symantec Security Software

[gordo3000]

not really, what I mean to say is be reasonable in what you have it scan. when I download trusted items, it gives me the option of not scanning it, and that is what I do. When MS or redhat or OO.org's download sources become infected, well, I'm screwed. But it doesn't take long if I am downloading a movie for it to tell me if there is a problem so I let those run.

This isn't turning it off, its calculated risk.

Re:Symantec Security Software

[The_Quinn]

If my grandma can't keep her windows box secure, then she certainly won't be able to apply security patches on a Linux box.

If I'm going to set up a self-maintaining box, I'll get her on Win XP with auto update/reboot turned on with auto-updating anti-virus and a basic firewall. She'll be fine for quite awhile with this, as long as she is not installing anything.

Re:Symantec Security Software

[mjtg]

Wouldn't it make more sense to give her say a Debian box and set up automated security updates on it ? Same sort of philosophy re. regular updates, plus the benefit of better baseline security.

Re:Symantec Security Software

[Onan]

Completely true. Anti-virus software is itself a hugely invasive, expensive, destabilizing chunk of voodoo that alters your system's behaviour in countless poorly-documented ways. Unless your virus risk is absurdly out of control (ie, you're running Windows), anti-virus software is vastly worse than the problem it supposedly solves.

The only thing I find amazing is that a large number of people somehow find it okay that their systems are broken enough by default that it's reasonable to think you need some additional tool to de-break them.

Apparently Symmantec was concerned that it might cross people's minds that it's possible to just use a sane OS in the first place and not "require" their type of product, so they churned out yet another propaganda piece to try and convince people that viruses are fundamentally inescapable any way except using their snake oil.

Re:Symantec Security Software

[heybrakywacky]

A firewall, reasonable use restrictions (not installing Chinese software cracks), not using IE/Outlook, and running an occasional anti-virus anti-spyware scan are plenty.

It's the "reasonable use restrictions" part that encompasses too much ground for your average (computer/internet-undereducated) user to adequately cover. They don't understand what is reasonable and what is not.

That said, I have yet to see where these internet security suites make things any better. Every single machine I've had to disinfect for someone in the group above has had anti-virus software installed on it. It didn't seem to keep their machines from being completely compromised.

What's sad to me is that I know other developers and IT professionals who themselves have drunk the kool aid and use these tools religiously. I've sat and shook my head as I've watched their machines crawl, watched them click through ridiculous numbers of allow/deny pop-up windows, watched them pull their hair out wondering why this or that application won't run properly. What's the point in having a computer if you're not allowed to use it?

Education is a wonderful thing. I run no anti-virus software, and limited firewalling, in every computing environment I work in. I've never had a compromised machine, never had one virus, one trojan. Nothing. My brain and resulting discretion is the best security software I could ever ask for.

Re:Symantec Security Software

[Threni]

> Nice suck-up for ~ 25MB of RAM for the real-time scan.

While it's scanning? So what? And how did you notice 25megs of ram was missing? I've got 1.5gigs and it never occurs to me to check how much any process/app is using.

Re:Symantec Security Software

[Anonymous+Brave+Guy]

Anti-virus software is itself a hugely invasive, expensive, destabilizing chunk of voodoo that alters your system's behaviour in countless poorly-documented ways. Unless your virus risk is absurdly out of control (ie, you're running Windows), anti-virus software is vastly worse than the problem it supposedly solves.

So much for the legendary robustness of $ALTERNATIVE_OS, then. If Linux or MacOS X is so much better designed than Windows, how can some anti-virus software destabilise the system as you describe?

Re:Symantec Security Software

[eggz128]

Ok, now imagine how important that RAM is to the average person who bought a computer in the last few years, when most of them only had 128Mb or 256MB fitted as standard.

Re:Symantec Security Software

[Threni]

> Ok, now imagine how important that RAM is to the average person who bought a
> computer in the last few years, when most of them only had 128Mb or 256MB
> fitted as standard.

If the last few years means the last, say, 2 or 3 years, then I doubt hardly any of them have as little as 128 or even 256megs of ram. (It's hard to find a graphics card that has less than 256 megs of ram nowadays!) Laptops have have 256megs or so in this period, and even entry level desktop PCs have half a gig. If you mean 5+ years ago then maybe you have a point, but even on a 128meg machine, losing 25megs or so during a virus scan is surely insignificant - you won't notice it.

Re:Symantec Security Software

[eggz128]

If the last few years means the last, say, 2 or 3 years, then I doubt hardly any of them have as little as 128 or even 256megs of ram. (It's hard to find a graphics card that has less than 256 megs of ram nowadays!)

You haven't really looked very hard then. Entry level (~£400) at the moment is between 256MB and 512MB. With integrated graphics nabbing some of that. Entry level laptops (~£600) tend to be the same. Here's a quick example 5+ years ago Windows XP hadn't been released, and for the first year or two of XPs life I saw many "entry level" machines ship with just 128MB.

but even on a 128meg machine, losing 25megs or so during a virus scan is surely insignificant - you won't notice it.

I can assure you you do, as the machine hits the swapfile hard. IIRC it takes about 96MB of ram just to get to the desktop in WinXP and hold it in RAM. That doesn't leave much room for running any programs, and much less once you have some antivirus software in the background (and you've probably lost a bit to integrated graphics as well). Granted it's not as bad once you get to 256Mb land, but it's still noticeable. Especially as most of these entry level machines come loaded with tons of sys tray "helper" apps, each nibbling up a bit more of the scarce ram.

Re:Symantec Security Software

[Threni]

> You haven't really looked very hard then

Maybe you're right - I tend to build my own PCs.

> Entry level laptops (~£600) tend to be the same

Hmm..just bought a £400 laptop which has 256megs - hard to get less memory than that, and doubling it costs a few pounds. If you can afford a laptop, and you need extra performance, then it's there.

> 5+ years ago Windows XP hadn't been released, and for the first year or two
> of XPs life I saw many "entry level" machines ship with just 128MB.

To be fair (to me) we weren't talking about 5 years ago!

> Granted it's not as bad once you get to 256Mb land,

Sure, and I really imagine that most people running XP will have more than 256megs and definately more than 128megs.

And I was assuming we were talking about a once-a-day virus scan. If a virus checker really requires 28megs all the time then it's a bit sad really (coming as I do from a background where 512k was enough for a decent (Amiga) game!)

Re:Symantec Security Software

[eggz128]

You haven't really looked very hard then

Maybe you're right - I tend to build my own PCs.

Me too, and I wouldn't dream of putting any less than 512MB in. But the average person doesn't build, they buy. They buy cheap. And they get cheap :-/

Hmm..just bought a £400 laptop which has 256megs - hard to get less memory than that, and doubling it costs a few pounds. If you can afford a laptop, and you need extra performance, then it's there.

Again, agreed. However the average person in my experience doesn't appreciate this, and of course any swapping to the laptops drive is even slower.

5+ years ago Windows XP hadn't been released, and for the first year or two of XPs life I saw many "entry level" machines ship with just 128MB.

To be fair (to me) we weren't talking about 5 years ago!

Well you brought that figure up :) I was just pointing out that while 5 years ago 128Mb was common, as close as just two to three years ago it wasn't that uncommon. If I was forced to guess (baised just on the PCs I go round and fix), most people are still using machines with 256MB of ram. A couple of unfortunates have 128MB, and a couple more have 512MB.

Common useage now for virus scanners is to have a resident shield that sits there, running all the time. Norton's is particularly annoying, because rather than just getting on with it, it also pops up plenty of little alerts just to let you know it's there. If you're installing a piece of software expect plenty of little pop ups from the systray along the lines of "Installer is waiting for a virus scan of filename.xxx [ok/cancel]".

And 512k? Luxury! My CPC had 128k and I liked it that way. :)

Re:Symantec Security Software

[MikeFM]

The best thing we could really do for security is to write more software in high-level languages. Fewer holes such as buffer overflows and similar low-level flaws means that code that hasn't been permitted to execute is less likely to execute through loopholes. That combined with decent coding practices and use of OS's that have good built-in security (Unix, Linux, BSD, OSX) would mean a lot.

I rather liked the article a few days ago that suggests allowing no code to execute unless first added to a whitelist. That could annoy users but it'd help a lot. Only, it'd be a real pain in the ass on development machines so we'd have to have a way to turn that feature off. :)

One major distinction programmers need to get over is the distinction between code and data. Just because data wasn't meant to execute doesn't mean it can't. Just because data isn't Turing complete doesn't mean it isn't a program - structured data such as XML, JPEG, or MP3 files can all be considered programs. It's all dangerous.

Re:Symantec Security Software

[Onan]

Please forgive me if I have ever implied that there is any OS in the world that is immune to any negative effects of having bad kernel modules (or local equivalent) inserted into it. That is clearly untrue.

There is, however, a significant gap between "better designed" and "perfectly immune to its administrator doing extremely dumb things." I'd love to see some software that's the latter, but for the moment I'll settle for the former.

Re:Symantec Security Software

[haruchai]

All too true. I've made many of my friends older computer feel slick and fast again under XP but dumping Norton or Symantec and replacing them with Antivir or AVG Free

Well, Sherlock...

[ackthpt]

Consider that the one third of bots are now in the UK, where people bandwidth is the best over all. What's it going to be like when all of China is wired? (BTW, that is one of the PRC's goals, even remote farms without running water have DSL!)

Re:Well, Sherlock...

[ObsessiveMathsFreak]

What's it going to be like when all of China is wired?

Quite frankly I'm thinking something like the opening sequence of XenoGears, with the mass tentacles of spam reaching out to engluf us all, and the scrolling messages of "And Ye Shall Be As Gods" replaced by countless repititions of "Make Money Fast", "Strong Erections", "FREE!!!!!" and the like.

I'd like to play the part of the captain, giving a faint smile as I detonate the self destruct. Gods know it'll be better than the alternative.

Re:Well, Sherlock...

[surprise_audit]

What's it going to be like when all of China is wired?

I'd imagine we'll find out if the Great Firewall of China works both ways.

why firefox will never be so bad as IE has been

[diegocgteleline.es]

1. No activex
2. Automatic updates

The nightmare IE/windows users have suffered for years is pretty much derived from these two points.

BTW, gotta love how the IE guys are adding a "new" feature to IE7:

Building on the security features released at beta 1, upcoming new features will include ActiveX Opt-in: To reduce the attack surface and give users more control over the security of their PC, most ActiveX controls (even those already installed on the machine) will be disabled by default for users browsing the Internet

I already can read the press: "IE7, with new ActiveX Opt-IN technology which protects you from the threats of the Internets"

it's amazing how they're trying to get rid of one of their major security mistakes by converting it in marketing crap. "IE7 adds activex opt-in". No, IE7 doesn't "add" that feature. It just removes/limites a already existing feature

Re:why firefox will never be so bad as IE has been

[secolactico]

it's amazing how they're trying to get rid of one of their major security mistakes by converting it in marketing crap. "IE7 adds activex opt-in". No, IE7 doesn't "add" that feature. It just removes/limites a already existing feature

Windows Server 2003 already have this "feature". Actually, what they did was increase the restrictions in the "Internet" security zone, and *presto!* And you can't even download on this zone by default. Even Windowsupdate requires you to add it manually to the "trusted sites" zone.

Re:why firefox will never be so bad as IE has been

1. No activex
2. Automatic updates

The nightmare IE/windows users have suffered for years is pretty much derived from these two points.

Are these actual advantages or mere myths?

1. Firefox has Extensions. They're installed the same way ActiveX controls are. In theory, they can't be installed from "untrusted sites"; in practice, however, it's entirely too easy to get gullible users to add the sites to their allow list and then ask them to install the software.

To be fair, blocking by default is definitely a good thing -- but IE6 w/ SP2 does the same thing.

2. Firefox's "Automatic" Update functionality is no better than Windows Update. In fact, Firefox's notify-only behavior (showing a small arrow when a new update is available) already takes more work than a completely automatic update process (which Windows Update optionally provides). I would not be surprised if some users never update Firefox because they don't know what the small green arrow means.

Re:why firefox will never be so bad as IE has been

[quazee]

It is not a brand new IE feature, it is just a set of locked-down default security settings probably too harsh for average home user (a.k.a. 'Enhanced Security Configuration' - you can revert to WinXP default settings in 10 seconds if you want).
This is reasonable on servers, but too restrictive to put that in Vista.

The ability to control (and disable by default) the loadable COM components without the Registry Editor (browsing through 1000's of COM GUIDs) is new in IE7, and that is a welcome improvement :).
Note: this functionality is NOT covered by the "Manage Add-ons" panel in XP SP2.

Re:why firefox will never be so bad as IE has been

[gordo3000]

while I use firefox because I find it much better, its automatic updates are really terrible(it isn't obvious when a major update is needed)

and not having activex is not a security improvement. Its leaving out a feature that is hard to secure. So really lynx is the way to go if that is what you call security.

Firefox is only better if you don't use lots of activex(and a few other things regularly). Else something else is better.

Re:why firefox will never be so bad as IE has been

"No activex".

Activex is a label, a term, a marketing word. Firefox is able to have a lot of the content IE has because they have installers to run that content, too.

A corporate IT disaster

[bwt]

I am surprised that it has not yet happened that a disgruntled IT worker has not launched such an attack targetted at a specific company. I still think it is a matter of time until a company suffers such a severe attack that it is forced under.

Re:A corporate IT disaster

[YrWrstNtmr]

How are we sure this hasn't happened? A company is unlikely to publicise such an event.

Re:A corporate IT disaster

[fbjon]

So, supposing for a minute, that one had an interest in partaking in such matters (which I don't), and that one also had sufficient motive for such irresponsible behaviour (which I haven't), how would one go about composing such a combination of Slammer and a BIOS eraser?

Naturally, one would only be using this information for research purposes. Or educational purposes, at most.

Re:A corporate IT disaster

[drsmithy]

So, supposing for a minute, that one had an interest in partaking in such matters (which I don't), and that one also had sufficient motive for such irresponsible behaviour (which I haven't), how would one go about composing such a combination of Slammer and a BIOS eraser?

No need for anything so complicated. Just sent a company-wide email (from somebody else's account, of course) with some sort of destructive attachment (BIOS eraser, hard disk formatter, recursive file deleter (don't forget any mapped network shares), etc). Make the subject line something like:

"Video of $HOT_SECRETARY and $HOT_MIDDLE_MANAGER blowing $MARRIED_UPPER_MANAGER at the Christmas party"

(Substitute site-localised names as appropriate).

I guarantee you'd wipe out about 3/4 of the machines in the typical office.

Re:A corporate IT disaster

I've heard stories that China has trained a few hundred programmers to launch coordinated attacks on business and government networks in target countries such as Taiwan, Japan and the USA. The goal is to damage communications and supply systems and sow confusion while China moves forward in a military engagement.

Remember Tibet.

Duplicate Link Checker

One of the links appears to be new. The other was posted like a week ago. Since the 'editors' don't actually read the site, why don't they just have a short script which checks whether the same link has been posted in another story. That would really cut down on the dupes, and wouldn't take long to implement.

Consider the source

The blurring between Symantec marketing and reporting is more than a little disconcerting. It seems we are now in a round of monthly warnings from them to keep sales high. Security is important, it is critical, it should not be taken lightly. However it would be nice if we could stop pulling our hair out on a monthly basis driven soley on the marketing budget of Symantec. (5 years and still virus free. I'm guess Mac OS X has a little more going for it than just "fools paradise" variety luck)

Secure vs. Reliable

[mysqlrocks]

It's important perhaps to point out here that secure programs, reliable programs and correct programs are all different things. Knowing how to write provably secure programs is very different from saying we know how to write reliable or correct programs.

This is a very important point. How does one prove that software is secure? Reliablity can be checked through unit tests, etc. but security is much harder to test and takes a lot more imagination.

Re:Secure vs. Reliable

Security must come from the OS, not from other programs. SELinux is a step in the good direction, but no one seems to care. That's the problem.

Re:Secure vs. Reliable

[WMD_88]

Nobody seems to care? I guess Red Hat doesn't exist....

the best systems today are totally inadequate-not

[bcrowell]

I first heard this ca. 1990: if your system is connected to the internet, and it hasn't been hacked yet, it will be soon. Still hasn't happened to me.

We are still in a world where an attack like the Slammer worm, combined with a PC BIOS eraser or disk locking tool, could wipe out half the PCs exposed to the Internet in a few hours
Well, actually, I wonder what percentage of PCs are currently infected with malware? I'd guess way more than 50%, and the world hasn't come to an end. Actually, it would probably be a good thing if the hypothetical disk-erasing worm would come along -- it would probably prompt a lot of dumb users to make backups, take some basic security precautions, and maybe consider switching from MS-ware to more secure OSS.

Allan Cox, huh?

[Sheetrock]

Not good enough he's a kernel developer and Red Hat fellow, now he had to go and add an l to his name?

Re:Allan Cox, huh?

I guess he's hoping that if he adds in enough l's, people will forget that his last name is mildly amusing.

Re:Allan Cox, huh?

Yeah, but I'll always think of him as "that guy who wrote AberMUD".

I'm delusional

[toupsie]

Symantec foretells a dark future for Firefox and Mac users describing their security as a "false paradise"

I have been happily living in a "false paradise" since 1984 using Macs.

P.S. Fair disclosure I was laid off by Symantec when they bought Fifth Generation Systems in the early 90s.

Re:I'm delusional

Do you remember a product called Symantec Anti-Virus for Macintosh? SAM? It was my experience that Macs were much more prone to viruses than PCs, back in the day.

Re:I'm delusional

[dgatwood]

That would be an "umm... no."

Number of PC viruses in 2004: 30
Number of Mac viruses ever:26

Do the math. Oh, and most of the stuff that SAM flagged...

MS Word macro viruses: 533

Sources:
Mac Viruses by the numbers
30 PC viruses played havoc in 2004

Re:I'm delusional

[Bill+Dog]

They were especially prone to viruses because of the way they were designed -- each floppy when formatted for the (classic) Mac had some standard code placed on it that got executed by the computer it was inserted into, something like to assist in displaying its contents in a window. So most viruses back in the day infected that code on floppies and spread from computer to computer that way. Really dumb, in hindsight, but Apple simply wasn't thinking about viruses and security then.

Hydrogenous

Hydrogenous?

Is English your first language? Or do you make them up as you go along?

Doomsaying, like s*x, sells...

[Elbowgeek]

Consider the following bit of text from the article:

Cox said. "In a sense we are fortunate that most attackers want to control and use systems they attack rather than destroy them." That is a bit of a catch-22 for the virus/worm authors. They need living hosts in order to redistribute the worm, so it's not in their interest to kill the host. And most virii are of the worm variety - they want their little code critter to distribute as far and wide as possible. So it's very unlikely that a BIOS killer worm would get very far even if it were released into the wild.

Re:Doomsaying, like s*x, sells...

[Rakishi]

I was thinking that as well however given how quickly some viruses/worms have spread you'd simply need to put in a timer of some sort. For example 10 hours after a computer is infected (ie: once it has spread about as much as it can) it kills itself off. However, this delay may be enough to create some counter against the threat. In addition, anything beyond simply spreading adds unnecessary payload to the virus/worm and makes it spread more slowly. I'd be interesting to see some models of such viruses/worms.

Re:Doomsaying, like s*x, sells...

[phauxfinnish]

Doomsaying, like s*x, sells...

A part of me wonders what events happened in your past to make you believe that S-E-X is such a bad word that it cannot be written in whole, even on a place such as the Internet.

Re:Doomsaying, like s*x, sells...

The Morris Worm in the late '80's was bad enough. It took down UNIX systems all over the world, as a bug in the worm allowed it to replicate on the same machine and destroy the OS. (Morris is now an MIT professor and never served a day in jail. It's nice to have your father be the head of the NSA and able to call in favors, or at least in such an excellent place to control the backlash.)

The vulnerabilities exploited then, (old and unpatched servers, bad passwords, accounts with no passwords, insecure services exposed to the net for no reason whatsoever) certainly exist today and are actually exacerbated by the complexities of doing the most simple tasks with today's wildly overburdened and "feature-filled" servers, running and requiring complex servers for no reason whatsoever. A cracker could do a fairly simple re-write of Morris's worm with a destructive payload on a timer, and could easily take out core systems the world over, even with the enhanced security of UNIX and Linux compared to Windows.

A destructive Windows worm could be far, far worse due to the popular use of no password for Administrator accounts to ease loans of the computer, laptops walking into and out of secured networks with little to no security auditing.

A destructive *BIOS* worm would be even more fun. The systems won't fail until the computer is rebooted, and since a BIOS worm that destroys the ability of a BIOS to install a replacement BIOS would effectively make every system exposed to it a ticking time bomb of support costs, it would decimate the most vulnerable users, those without any competent tech support.

Re:Doomsaying, like s*x, sells...

FYI: any windows account w/o a password (AKA: Admin) in windows XP cannot be accessed from a network. Try logging a remote session using the account. It won't work. Actually if you try to login as admin on many (can't confirm on all) XP Home versions without a PW (unless in safemode) it will also fail.

So not having an account with a PW can actually HELP the security of your computer unless of course you can't trust people who have physical access to your machine.

Re:Doomsaying, like s*x, sells...

Some of those worms reached their saturation points in no more than a couple hours or so. Suppose you wait 6 hours from infection time and then terminate the machine (or, since we're going on infection time, not when the plague first began, just a couple hours)?

What would happen in such a case? That's right: lots of dead machines.

Re:Doomsaying, like s*x, sells...

[Metzli]

Would it even need 10 hours? It's alleged that Slammer hit 75,000 machines in 10 minutes. Think of writing a multifacted worm, say some combination of the methods of Sobig, Blaster, Slammer, Zotob, etc., base its main exploit on a zero-day vulnerability (but including others to attack what it can), and configure it to wipe the BIOS and force a reboot at a certain time (say 4-5 hours after the release time). The tine to patch and protect is miniscule, yet the impact to those infected is massive. It wouldn't get the writer the infamy desired, as the time-to-live for the worm would be small, but the impact of this could be huge.

Re:Doomsaying, like s*x, sells...

ASUS' dual bios feature should be able to fix this.

Re:Doomsaying, like s*x, sells...

sells like what? six? sax? sox? hmm, gotta be one of these...

Re:Hydrogenous Infrastructure.

[Locke2005]

"Hydrogenous" Network?!? That would be a network made of hydrogen, wouldn't it? I think the word you're grasping for is "Heterogenous"

Re:Hydrogenous Infrastructure.

[SecureTheNet]

I believe you mean "heterogeneous," consisting of dissimilar elements. The opposite of homogeneous. I won't even touch the rest of your post... where do you come up with this crap?

Re:Hydrogenous Infrastructure.

[DECS]

I think advocating for or against a "Hydrogenous" network might cause a flamewar, teehee.

Maybe you were thinking of heterogeneous? or androgynous? Hard to tell because attempting to read a few lines of your post made my face explode. It's 'unpossible' to read your posting.

Re:Hydrogenous Infrastructure.

Didn't you mean:

This be why the king's law not be the only one. With most the treasure being defensed in one place we 'ave a hearty good chance for the one piece. Me hat off to the scalawags who hide their booty elsewhere. We may knock ya down but at least you won be wearin them red badges. The king be a fool.

http://www.google.com/search?hl=en&q=talk+like+a+p irate+day&btnG=Google+Search

You mean heterogenous

Unless you want to build computers out of hydrogen.

What does this have to do with flammable gas?

[bigtallmofo]

This is why having a Hydrogenous network and/or having a society where no one platform dominates.

I'm guessing hydrogenous is not the word you were looking for. Assuming of course that you weren't proposing that we base our networks on hydrogen.

I'm going to instead assume you meant heterogeneous which is something often proposed on Slashdot and grants the proposer instant karma as people rush to mod them up.

The only problem is having a hetereogeneous environment increases your support costs whether you have a security incursion or not. How many people are security experts in Mac, Windows, Linux, BSD, Solaris, FreeBSD and CPM? Not many. Which means that for every environment your IT staff supports, you need additional admins.

Re:What does this have to do with flammable gas?

Having a heterogeneous environment also virtualy guarantees that you WILL be affected by any new seurity vulnerability. At least if you're running a Windows-only or Linux-only shop you know that you don't need to worry about that security bulletin that just came out for the other platform.

Re:What does this have to do with flammable gas?

[spitzak]

The only problem is having a hetereogeneous environment increases your support costs whether you have a security incursion or not. How many people are security experts in Mac, Windows, Linux, BSD, Solaris, FreeBSD and CPM? Not many. Which means that for every environment your IT staff supports, you need additional admins.

Even if your company is 100% Windows, the world itself could be much more hetrogeneous, if perhaps other companies were 100% Mac or 100% Linux, or 100% some in-house system that nobody else knows about. For each company it would not be harder to manage than today, and we would all be much safer with this.

Re:What does this have to do with flammable gas?

[forkazoo]

The only problem is having a hetereogeneous environment increases your support costs whether you have a security incursion or not. How many people are security experts in Mac, Windows, Linux, BSD, Solaris, FreeBSD and CPM? Not many. Which means that for every environment your IT staff supports, you need additional admins.

No, no, no. The idea behind heterogeneous networks is that you can have incompetant administration and still have at least one working system while you repair the compromised machines. You don't need to know how to secure Irix, VMS, Linux, BSD, Solaris, Windows, Novell, and Mac OS X because no hacker knows how to compromise them all. As long as I have one working machine to surf the porno while I reinstall Windows, everything is just fine. Just fine, indeed.

At least, that's my take on network heterogeneosity... (Actually, I am using a Mac OS X box as a gateway router to keep my Windows, Irix, and Solaris machines safe. (The BSD/Alpha box is broken right now...) The Mac OS X box has never been compromised.) Yes, I keep that many platforms running continuously on my home network. I'm not even counting the more exotic machines I don't have on the network, like my VAX.

Re:What does this have to do with flammable gas?

[galego]

The only problem is having a hetereogeneous environment increases your support costs whether you have a security incursion or not. How many people are security experts in Mac, Windows, Linux, BSD, Solaris, FreeBSD and CPM? Not many. Which means that for every environment your IT staff supports, you need additional admins.

And if you have only one type of system, it's all the easier to get bang-for-buck on an attack. Eithe that or your security level wrapped around that one type of system has to be much higher (meaning more admins and/or more software/security measures) ... As the saying goes ... "pay me now or pay me later"

Re:What does this have to do with flammable gas?

[FuckTheModerators]

...Hydrogenous network...

I'm guessing the right interpretation is somewhere between hydrogenous and heterogenous:

We need partially hydrogenated networks. That way, when some machines get infected, we can simply blow them up.
Or ignore them and eat chips.

Re:What does this have to do with flammable gas?

Well now it says "ERROR Sig overflow"

Symantec is crying wolf again

[argent]

Symantec makes their money by producing an amazingly complex set of tools for patching up a security failure after the fact. It's in tehir interest to convince as many people on as many systems as possible that this is the best way to deal with security problems.

They have been pulling this kind of thing for years, predicting floods of malware on Palms, Pocket PCs, mobile phones, and I'm sure that game consoles and internet connected coffee machines will be next.

I'm glad they're working on the problem, so if it ever happens that Apple pulls a stupid trick like ActiveX they'll be there, but in the meantime more people have lost data due to false positives from antivirus software on these platforms than have lost data to actual viruses... so I'll steer clear and take everything they say about it with a grain of salt.

Re:Symantec is crying wolf again

[Halfbaked+Plan]

They used to make a pretty nice tool (Symantec C++) before they decided whipping up a whirlwind of hysteria was more profitable.

Re:Symantec is crying wolf again

[spoco2]

more people have lost data due to false positives from antivirus software on these platforms than have lost data to actual viruses...

Now, I'm not calling you a lier... ok, maybe a little bit... but could you back that statement up with any sort of actual data? I'd be interested in reading it if you can.

Re:Symantec is crying wolf again

It is in symantec's best intrest to not only cry wolf, but to breed the wolves they will protect you from. This is why symantec funds the breeding grounds for viruses -- funding hacker conventions, providing public downloads of working exploits thru their public sites.

Re:Symantec is crying wolf again

[Farmer+Tim]

No hard data (sorry), but a recent Mac version of NAV had the rather nasty habit of searching Mail.app's mbox files for viruses and simply deleting the whole file if it found one rather than removing the offending attachment.

Try searching the discussions on http://www.macintosh.com/ for more details and other problems.

Bearing in mind this is the same Symantec who haven't managed to produce a safe, reliable disk utility suite since 1998 (unlike Alsoft or MicroMat), I think Mac users are pretty safe ignoring anything Symantec's "experts" have to say.

Re:Symantec is crying wolf again

[argent]

but could you back that statement up with any sort of actual data?

Number of actual viruses in the wild for PalmOS: 0

Number of actual viruses in the wild for Pocket PC: 0

Number of actual viruses in the wild for Mac OS X: 0

Number of people who have lost data due to actual viruses on palmOS, Pocket PC, and Mac OS X: 0

Number of people who have lost data due to malfunctioning antivirus software on PalmOS, Pocket PC, and Mac OS X: more than zero.

There have been cases where AV software has locked up and caused a hard reset on PalmOS or Pocket PC, or caused legitimate mail to be dropped or bounced, and where a false positive from the AV software resulted in an IT department unnecessarily wiping a handheld or computer.

No matter how small a number these represent, any positive integer is greather than zero.

Re:Symantec is crying wolf again

[spoco2]

Way to use skewed figures... We're talking the entire installed base of PCs, Macs, handhelds etc... and when you look at the infections of PCs and the damage they've created compared to the damage by false positives by virus programs across the ENTIRE collection of all platforms, I think you'll find that viruses still win in the damage stakes.

Re:Symantec is crying wolf again

[argent]

We're talking the entire installed base of PCs, Macs, handhelds etc...

No, we're not.

We're talking about Symantec pushing AV software on people who don't need AV software. We're talking about how much damage AV software for platforms that can't usefully use AV software does, compared to the damage from viruses on these platforms.

If you have a PC running Windows, you need AV software.

If you have anything else, you're better off without it.

Symantec's whole point in these scare tactics is to try and convince people to spend money on software that can't do anything but mess them up.

Doesn't surprise me one bit...

...we can't even handle dupes : http://it.slashdot.org/article.pl?sid=05/09/13/173 0214&tid=172&tid=106

what's real?

[catwh0re]

Although a lot of attacks are technically possible(ideal conditions being that the computer can manage to stay alive and the user doesn't notice the security issue), they aren't very practicle. For example a lot of worms do their most damage because they are left unattended(and unnoticed) for large amounts of time, hence by including things to destroy the infected system this will render the system unusuable, this will result in the owner interferring or the system being so destructed that it is already unable to spread the virus. It's a gentle balance that mimics the actual spread of real diseases. More serious diseases don't spread far because they become noticed sooner and are contained naturally (i.e death.) While more subvert diseases are easily spread as the host can live, move about, give it to others unwittingly.

Our most effective viruses will be the ones that allow the system to live long enough to spread the virus, and as soon as it can't spread it anymore, or the rate of infection drops below a certain level, the self destruct button can be hit. Allowing maximum transfer, and then maximum destruction.

In the time between these two phases human interference should be able to pick up the CPU/network drain. (Or perhaps a software developer can make a program that realises when cpu usage + network activity is uncontrolled.)

Re:what's real?

[Requiem+Aristos]

The problem with the "Kill the host and the virus can't spread" counter-argument is that it assumes one of two goals:

1) You are trying to keep the virus active indefinitely, or...
2) The virus requires a significant amount of time to saturate the population.

If the writer is interested in making a name for himself neither of the two may apply. Some of the recent big-name worms have been able to infect a significant percentage of the vulnerable population in a matter of minutes or hours. This means that after the first 4 hours or so your rate of infection will level off, and you may as well start killing hosts. Which would get the greater publicity, just infecting 3/4ths of the Net, or infecting 2/3rds the Net but permanently killing the machines?

Re:what's real?

[edunbar93]

So when a worm or virus infects half the internet connected computers in the world in a few hours, how do you explain that?

The fact of the matter is that if you made a virus that spread as fast as it could (and a lot of recent virus writers try to avoid that, because it would bring the whole internet to its knees, and they'd be in jail the week after) and then destroy the computers it infected inside of 24 hours, we'd all be fucked, good and hard.

Re:what's real?

[Randseed]

and then destroy the computers it infected inside of 24 hours, we'd all be fucked, good and hard.

Up the ass with a cattle prod, it might feel like.

Whereis AntiVirus for MacOS and Linux??

[NatteringNabob]

According to Symantec, this is an enormous untapped market for them since we are all very attractive targets and living in a security dream world. And those products, particularly for Linux, are where exactly? Actions speak louder than words, and if Symantec really thought there was an enormous threat here, they would be pushing out products to address it, because that is what companies that want to maximize profit do. Instead, of products, they produce press releases. Once Microsoft's lapdog, always Microsoft's lapdog I guess, even after they have decided to have you put down.

Re:Whereis AntiVirus for MacOS and Linux??

[tehwebguy]

well actually, they have a line of mac products.

Re:Whereis AntiVirus for MacOS and Linux??

[FLAGGR]

AFAIK those are to scan files if your a mac user on a windows network, to stop the spreading of files to poor windows users.

Re:Whereis AntiVirus for MacOS and Linux??

[Akaihiryuu]

Same goes for Linux "antivirus" programs. All of the so-called Linux antivirus programs scan email and sometimes files for Windows viruses, to keep you from passing them on to poor Windows users. I guess that might come in handy if you were running an email server, and you wanted to keep Windows viruses out of the email. But they don't do jack for Linux itself. In fact, the whole concept of a "virus" in Windows doesn't work in a *nix environment. The closest thing I can think of is a worm, but you have to be running a specific vulnerable version of a service (and even then, that service has to have privileges that would enable an exploit to do something consequential to the system) for that to even be a possibility. "Viruses" as Windows users know them are only possible in the Windows world.

Re:Whereis AntiVirus for MacOS and Linux??

[brokencomputer]

umm symantec has released security products for mac.... ever heard of : Norton AntiVirus for Macintosh 10.0 Norton Personal Firewall for Macintosh 3.0.3 which both work on tiger???? not to mention: Norton Internet Security for Macintosh Symantec Administration Console for Macintosh which haven't yet been fixed to work w/ tiger

Re:Whereis AntiVirus for MacOS and Linux??

In addition to the Mac products already mentioned, Symantec will soon offer their Antivirus (Corporate Edition) software for Linux. My company signed up for a beta test for this software over the next year.

Initially, it's a little buggy. I've noticed some issues with hotplugging USB keys and such

AC cause I'm not sure if this beta test dealie is NDA or not...

Re:Whereis AntiVirus for MacOS and Linux??

[Farmer+Tim]

Norton AntiVirus for Macintosh 10.0 Norton Personal Firewall for Macintosh 3.0.3 which both work on tiger????

What, Symantec have released a version of NAV that actually works?

Norton Internet Security for Macintosh Symantec Administration Console for Macintosh which haven't yet been fixed to work w/ tiger

Ah, that's the Symantec I know.

Re:Whereis AntiVirus for MacOS and Linux??

[Haeleth]

"Viruses" as Windows users know them are only possible in the Windows world.

That depends how pedantic you're going to be about definitions. Most computer users think of trojans and worms as special types of virus, rather than as distinct types of malware.

And a trojan, for example, would be trivial to write for Linux, in theory: you just need a local root exploit and a malicious script. The only difficulty (once you'd found an exploit) would be in getting malicious code into a script people will just download and run. I'd think the configure script of a sufficiently popular bit of software would do the trick. Maybe you could release a cool new plugin for a popular desktop environment, in an attack along the lines of those trojan screensavers you used to see for Windows...

How many NAV copies sell on Linux?

Oh, never mind.

??Hydrogenous?? Infrastructure.

[Flower]

Pee on my network and you're in for quite the shock.

Re:??Hydrogenous?? Infrastructure.

[colinrichardday]

Well use some urine-resistant cabling!

No-no-no-no

[HangingChad]

Symantec foretells a dark future for Firefox and Mac users describing their security as a "false paradise".

If it was a false paradise it would come with a tropical island, Nicole Kidman and bathtub full of champagne.

Re:No-no-no-no

um, false paradise? More like paradise.. though I'd replace Kidman with Alyssa Milano, or Jessica Alba, maybe Angelina Jolie. Oh and a 35' sailboat...

Re:No-no-no-no

XP came with tropical island out-of-the box. Will Vista include Kidman and champagne?

In other news

[C_Kode]

The sky would be falling but the bad guys don't really want it too.

Seriously, how are we "fortunate" that they only wish to take control over your server and not destroy it? If one of my servers are compromised it's as good as destroyed. If they didn't do it, I will as I wouldn't trust any part of the system. (drives wiped and hardware flashed)

Re:In other news

[Metzli]

It's also not "fortunate" if gov't regulations exist about the privacy and protections of your data. Symantec make think you're "fortunate" but HIPAA, Gramm-Leach-Bliley, and Sarbanes-Oxley may disagree.

Re:In other news

[Kjella]

Seriously, how are we "fortunate" that they only wish to take control over your server and not destroy it?

They are not talking about servers, they're talking about your average desktop. And it is because most people don't do back-ups. I recently read that 50% of those under 23 have *never* made a back-up. Documents they have written, digital pictures they've taken, everything is a disaster waiting to happen. Whenever it is clean-up time, the first order of business is to save all the data they'd like to keep.

If viruses destroyed the computer (wipe the BIOS? wtf), wiped the FAT then started overwriting files, many people would be completely and utterly fucked. Just as they are when their disk dies, only last week I had someone I studied with call me about what appeared to be a dead HDD. I haven't been on-site, but it sounded like they would considering IBAS if it was actually dead. A maliciously wiped disk would be ten times worse off than that.

false paradise

I think I'd rather exist in a false paradise than a certifiable hell.

No no no no, just SBO.

No. No no no no no.

Mixing up your network too much just means you have (Platforms X Security Holes) to worry about.

At least with a homogeneous network as opposed to a HETEROgeneous you only have to worry about deploying patches for one platform.

In order to automatically deploy OS X patches for example, you have to have an OS X server as well (in my experience). Otherwise, you're walking to them one by one and running the packages.

Besides, choosing something because it's less of a target is simply "Security By Obscurity" in sheeps clothing. We all know how well that works huh?

Disclosure: I run a heterogeneous network out of necessity, not choice. It SUCKS.

Re:Hydrogenous Infrastructure.

"Hydrogenous" Network?!? That would be a network made of hydrogen, wouldn't it?

No, it would be water. Think hydroelectric, hydrolube, hydrophobe, etc. Of course, it's bloody nonsense whichever way you look at it.

Of course...

[milatchi]

Computer Security Still Totally Inadequate

Of course, if it wasn't I wouldn't have a job.
;-)

Re:Three Steps to 100% Computer Security

[James+the+Warder]

Someone can still get access by offering you a candy bar for the safe combo. You're better off by filling the safe with lead and dumping it in the ocean. It is still possible someone might find it and open it, but I don't think anyone is that desperate to get at your porn collection.

Re:Hydrogenous Infrastructure.

[ekephart]

Yes... [clears throat] ahem... The exports of Libya are numerous in amount. One thing they export is corn, or as the Indians call it, "maize". Another famous Indian was "Crazy Horse". In conclusion, Libya is a land of contrast. Thank you.

Who modded this idiot insightful?

See above.

Mac User Buys Nortan AntiVirus

[SQLz]

Well, I bought Norton for mac and when I ran it, it said:

"Updating Virii Signatures......"
"0 Signatures updated, there are no virii for mac you idiot"

Can I return it?

Re:Mac User Buys Nortan AntiVirus

[koreth]

I know I'd want my money back if I bought an anti-virus program and discovered the authors didn't even know how to pluralize the word "virus."

Re:Mac User Buys Nortan AntiVirus

[SQLz]

I have a long rich history of posts with bad grammar, typos, and awful spelling. Believe it or not, its rare that someone is asshole enough to point it out since most people can get the joke. I think the whole 'lets point out spelling errors' posts are made by people who have nothing useful to post and feel like they need to make up for it by pointing out problems with other people's posts. Sad really.

Re:Mac User Buys Nortan AntiVirus

Though the correction post seemed to be intended as humour too, so what's the big deal?

Re:Mac User Buys Nortan AntiVirus

The plural of virus is virus. Not virii. You clod.

Re:Mac User Buys Nortan AntiVirus

Don't worry, be happy

Re:Mac User Buys Nortan AntiVirus

[Jesus_666]

We're talking about Norton Antivirus here. I'm surprised that the authors can spell "Mac" properly.

Re:Mac User Buys Nortan AntiVirus

[ifwm]

But it wasn't a spelling error was it? You knew that the it was the incorrect plural version if you've spent any time here on slashdot, because there used to be regular flame wars about "viruses vs. virii".

"made by people who have nothing useful to post and feel like they need to make up for it by pointing out problems with other people's posts. Sad really."

So, is it ALSO sad when someone DEFENDS their bad spelling? Is that sad squared then?

Re:Mac User Buys Nortan AntiVirus

[SQLz]

You put DEFENDS in all caps, you must be an idiot.

Re:Mac User Buys Nortan AntiVirus

[dave1212]

In other words, you didn't learn anything, and those who attempt to aid you and others by correcting spelling and grammar errors are wasting their time. I don't think it's being an asshole, I appreciate it when I can learn from my mistakes.

Great attitude, make sure you don't learn anything while you're on here!

no shit

Isn't this story a dupe?

But yeah, the security situation today is AWFUL.

Unfortunately, nobody has the guts to point out the real sources of the problem:

#1: Incompetent programmers. I would say maybe 90% of the programmers working today (open source or closed source, it doesn't matter, it's the same pool of programmers) simply don't have the skill to write a secure program. Most don't have any training, and they don't write code in such a way that makes it easy to audit (simple, clearly-written, in a high-level language that facilitates clarity).

Bring this up with a programmer and you're likely to get a response like "so what? no software is secure, that's just the way it is." or "oh yeah? let's see how secure YOUR software is."

Basically, the meme is that it's okay to write crap software, because all of it is crap.

#2: no accountability. Nobody punishes software authors when they make a mistake. Microsoft still makes money. phpBB still gets downloaded. Sendmail remains on the hard drive.

This is the second meme: It's okay to use crap software, because all of it is crap.

I really don't know what the solution is. Maybe programmers should have to get licenses before they can buy a computer. I have no idea. Maybe people should just wise the fuck up and not buy software that isn't secure. Maybe the government should refuse to enforce warranty disclaimers (bye bye open source?).

All I know is, it pisses me off continuously.

Re:no shit

[KnightHawk420]

Please direct me to the list of truly secured software.....

Re:no shit

0xF000:0000

For you who don't understand, this is a pointer to BIOS.

Wait a sec

Don't you mean a bathtub full of hot grits?

It's been said time and time again.

[Soul-Burn666]

It doesn't even matter how secure your "system" is, stupid users will always break the system and allow infections.

Where I live, there was a huge scandal about some company that sent other companies "demo discs" which the employees at the other company obviously ran, trusting some random company. This caused a trojan/backdoor to be installed, eventually costing the companies a lot of data which was viewed by their competitors.

Even in the army, they have a network completely (physically) disconnected from the public internet, with very strict rules on what's allowed to move inside and usually everything is ok. One time there was a large outbreak of a virus, obviously it was disconnected from the outside, but still an outbreak.
The source? A high ranked officer thought he's above the rules and connected his infected laptop to the inside network.

No matter how strong are your means of security, stupidity will always prevail.

Re:It's been said time and time again.

[burne]

No matter how strong are your means of security, stupidity will always prevail. I've eradicated stupidity from my household, and that works just fine. Stupidity in the workplace seems to be a different problem, however. Spiking coffee with arsenic is effective except for legal consequences. I'm still working on that one.

Re:It's been said time and time again.

[burne]

Another side-effect of frequent exposure to arsenic seems to be a deterioration of one's html-skills. Beware.

Re:It's been said time and time again.

[geoff+lane]

You don't even need stupid users.

In many projects it's (foolishly) more important to make progress than to create a secure service. Security is often something thought about at the end rather than being builtin from the design stage.

As long as humans...

[i.r.id10t]

As long as humans are part of it, it will happen no matter how good security is. Heck, spam gets sent because *someone* out there is dumb enough to buy something advertised as\/14gR4

On the other hand, a clued-in user with "commonly recommended security tools of the times" (currently a firewall and AV if they run windows, future who knows?) will typically defeat most things.

"Security Professionals" are Retards

[Uhlek]

Yet further proof that almost all "security professionals" have about as much intelligence as a gnat.

I'm really tired of mediocre systems guys passing a CISSP exam (thousand miles wide, quarter inch deep) and being declared experts on securing things they don't even understand to begin with.

For one, quantative analysis of the numbers of vulnerabilities doesn't equate to determining if a system is more or less secure than another. It's also meaningless if you don't compare how the systems are configured in what kinds of environments. Even simple things like Linksys routers greatly contribute to additional security on a personal computer (Windows or otherwise).

From the article: "Symantec chronicled 1,862 new vulnerabilities during 1H2005 - an average of 10 new flaws a day - 73 per cent of which it categorises as easily exploitable. The time between the disclosure of a vulnerability and the release of an associated exploit was just six days. Half (59 per cent) of vulnerabilities were associated with web application technologies."

Can anyone tell me where in that statement is a shred of useful, meaningful information? Of course not. Because there is none.

Insofar as Firefox and and OS X being "in for surprises." Sure, Firefox is an evolving application, bugs will be introduced and squashed, and later on more will be introduced. Some of those will be security vulnerabilities. Any application who's sole job is to pull data from untrusted sources and parse it will be vulnerable to security problems resulting from buggy code. Period. End of sentence.

OS X ... please. The "it's not as popular" theory as to the lack of OS X viri and worms has been beaten to death over and over. Simple fact is the difficulty would make the first creator of an OS X virus or worm famous beyond anything another Windows worm would cause -- even if the spread wouldn't be nearly as bad. And yet, here we are, five years after the release, and not a single virus or worm that directly affects the operating system. Surprised?

Despite that incentive, it has yet to be done. A rootkit is being touted as "proof of OS X's insecurity." Give me a break. If you can trick a user to type in their admin password with an application, it doesn't matter if you're running Windows, Linux, BSD, OS X, HP-UX, or Solaris -- you're going to get owned.

Jesus, I hate security people. I just want to choke them.

Re:"Security Professionals" are Retards

From the article: "Symantec chronicled 1,862 new vulnerabilities during 1H2005 - an average of 10 new flaws a day - 73 per cent of which it categorises as easily exploitable. The time between the disclosure of a vulnerability and the release of an associated exploit was just six days. Half (59 per cent) of vulnerabilities were associated with web application technologies."

Can anyone tell me where in that statement is a shred of useful, meaningful information? Of course not. Because there is none.

Allow me to shed some insight for you.. That statement is useful not because it provides some great insight into the nature of whether your systems are "secure" or "not secure" (the mindset of the technical security expert), but because it changes the assumptions that IT (and Security) Managers use when designing business processes which affect security, such as change management and software patch installation. It also shows a shift in trends away from OS level vulnerabilites and towards Web Application vulnerabilities, indicating to management where to focus future IT Security initiatives (if they are not already.)

As an example, the IT organization of the company I previously worked for ($20B revenue, 40K+ employees) made the assumption that announced critical vulnerabilities will be exploited within 30 days, and used that as the basis for developing the "critical patch" implementation timeline. Clearly, statistics such as these change those underlying assumptions.

I will grant you that any IT Security manager worth their salt is aware of the trends before Symantec announces it, but third party statistics from a "trusted" source can carry far more weight with CxO's or Boards of Directors than one IT manager's opinion.

Re:"Security Professionals" are Retards

Security people want to choke you. So it's kinda even. How dare you!? Just who the hell do you think you are applying logic to security? I mean MAN, next you'll be telling people not to trust their fellow man. You phreakin commie!

Re:"Security Professionals" are Retards

[njyoder]

Any application who's sole job is to pull data from untrusted sources and parse it will be vulnerable to security problems resulting from buggy code. Period. End of sentence.

Ok, so you're acknowledging that Firefox will become suspceptible to malicious websites then? So where's your disagreement?

The "it's not as popular" theory as to the lack of OS X viri and worms has been beaten to death over and over.

And it's still true despite what those inside the RDF say. BTW, it's viruses, not 'viri' or 'virii.' That's how l33t kidd13z spell it.

Simple fact is the difficulty would make the first creator of an OS X virus or worm famous beyond anything another Windows worm would cause

Why would it make them more famous? Because you say it's more difficult? If they did, no one would care. People have made viruses for older versions of Mac OS and no one cared. The funny thing is, the pre-OS X versions had very few viruses due to lack of popularity, despite even Apple admitting it having even less security than windows.

And yet, here we are, five years after the release, and not a single virus or worm that directly affects the operating system. Surprised?

No, why would anyone be surprised that unpopular software hasn't had viruses written for it yet?

Despite that incentive, it has yet to be done.

What incentive? Praise from a tiny number of geeks? Because that's all that would happen, realistically.

A rootkit is being touted as "proof of OS X's insecurity." Give me a break.

Hello. For someone who just mocked others for not knowing about security, you obviously don't know about it yourself. You're basically suggesting that OS X is perfectly secure barring a really stupid user error, which is absurd.

Take a look at a list of past vulnerabilities for OS X and take special note of the REMOTELY EXPLOITABLE ONES, including ones that require no special access to the machine:

http://docs.info.apple.com/article.html?artnum=617 98
http://docs.info.apple.com/article.html?artnum=300 667
http://docs.info.apple.com/article.html?artnum=256 31

For someone who claims to know about security, I am *shocked* that you didn't even bother to check the advisories on Apple's official website. All it takes is a single unpatched machine to spread and that's no different than it is for windows--since windows users are notorious for not patching.

Just a quick look revealed one vulnerability that allows you to gain access to the machine's hard drives via malformed DHCP packets. Another allows you to execute arbitrary code via a quicktime URL.

If you can trick a user to type in their admin password with an application, it doesn't matter if you're running Windows, Linux, BSD, OS X, HP-UX, or Solaris -- you're going to get owned.

WELCOME TO COMPUTER SECURITY, PEOPLE ARE STUPID. That is principle number one. If you thought that security could operate under the assumption that people had common sense, you are sadly mistaken. OS X, l ike all OSes, has vulnerabilities and inevitably there will be many unpatched machines and that can be taken advantage of.

WELCOME TO THE REAL WORLD.

Re:"Security Professionals" are Retards

[Onan]

Why would it make them more famous? Because you say it's more difficult? If they did, no one would care. People have made viruses for older versions of Mac OS and no one cared. The funny thing is, the pre-OS X versions had very few viruses due to lack of popularity, despite even Apple admitting it having even less security than windows.

Care to cite Apple admitting that? Or any evidence that it's true? I've used back through System 7, and my experience and understanding has always been that macos releases are substantially more secure than their Windows contemporaries. As you say yourself, viruses were not a problem for macos then, and they're not a problem now.

What incentive? Praise from a tiny number of geeks? Because that's all that would happen, realistically.

Um, yes. That's all that ever happens. You think people are writing viruses because it's a prudent career choice? They're doing it to enleeten themselves in the eyes of their friends, and tainting the relatively-pristine territory of macosx or linux would do that far more than writing Windows Virus #72,927,215.

You're certainly right that osx has had security vulnerabilities; I don't think anyone is trying to suggest that it's absolutely inviolable all the time. But you know how you found those vulnerabilities listed? Because Apple fixed them. As Apple has a tendency to do, within a not-bad span of time, and which fixes then get automatically distributed to every osx machine whose user has not gone out of their way to disable updates.

This means that the millions of osx machines out there have a tendency to be a fairly inhospitable place for viruses. There's a reasonably small window between the discovery of vulnerabilities and the disappearance of them on very close to every single system. Which is why your statement:

All it takes is a single unpatched machine to spread and that's no different than it is for windows--since windows users are notorious for not patching.

...is simply not correct. A single unpatched machine would result in, at most, a single compromised machine. And numbers well above "single" are unlikely not because there are few osx machines total, but simply because Software Update runs by default and makes it inconvenient to not maintain current patches.

Re:"Security Professionals" are Retards

[Sven+Tuerpe]

Yet further proof that almost all "security professionals" have about as much intelligence as a gnat.

I'm different. Hire me!

Jesus, I hate security people. I just want to choke them.

Uhm, nevermind. That's really nice weather today, isn't it?

Re:"Security Professionals" are Retards

[njyoder]

I've used back through System 7, and my experience and understanding has always been that macos releases are substantially more secure than their Windows contemporaries

What planet are you living on? All the previous versions had no file security and no memory protection mechanisms AT ALL. Any program executed on the machine has 100%, uninhibited access to all resources. This is public knowledge.

They're doing it to enleeten themselves in the eyes of their friends, and tainting the relatively-pristine territory of macosx or linux would do that far more than writing Windows Virus #72,927,215.

That's a nice little theory, but it really only goes to show your complete ignorance of how things really work. If that were true, why were viruses so extroadinarily rare for all prior Mac OS versions despite it having no standard patching mechanisms and no built in security? I guess NO ONE CARED.

The potential to write worms for linux has been out in the open for quite a long while too--there are many machines running outdated versions of bind, sendmail, fetchmail, and so forth that could be taken advantage of.

Every so often a new vulnerability will come out for some popular piece of networked *nix software and it will take months or years until most systems are patched. So if your theory were true, why hasn't some hax0r written worms for them? Perhaps it's because a lack of interest.

They get far more praise by infecting many Windows machines than the much smaller number of OS X machines. Ditto for Linux. You don't seem to understand that the 'feat' is about numbers, not about your imagined pristine reptuation of OS X. And they're not actually pristine, they've had tons of vulnerabilities and even exploits, just not many viruses/worms.

Because Apple fixed them.

No, actually, it seems that Apple doesn't even write the majority of that software, so they don't write the fixes for it.

whose user has not gone out of their way to disable updates.

Not gone out of their way? You mean not clicked 'off'?

within a not-bad span of time

I see you turned on the "RDF" option. You really shouldn't preach that as a matter of faith. Apple can only fix it AT BEST, as fast as the authors of the software will fix it.

Software Update runs by default and makes it inconvenient to not maintain current patches.

I'm sorry, but you're under the mistaken impression that everyone wants and does have it running, especially a bad assumption with dial-up users.

You're also under mistaken assumptions about time between discovery and fixing of something, especially since you seem to think it's APPLE fixing bugs, when more often it's not them doing the fixing.

You're making an even worse assumption that the software compromised will be something covered by Apple's automated update system. That's a really, REALLY horrible assumption to make.

For someone who is critical of false security experts, you sure are making yourself look like an even worse one.

Re:"Security Professionals" are Retards

[Onan]

What planet are you living on? All the previous versions had no file security and no memory protection mechanisms AT ALL. Any program executed on the machine has 100%, uninhibited access to all resources. This is public knowledge.

I'm certainly not suggesting that paleomacos is a shining paragon of security, just that it was consistently better than its Windows contemporaries.

This sounds interestingly unlike you providing a reference for your claim that "Apple admitted" that macos was less secure than Windows.

No, actually, it seems that Apple doesn't even write the majority of that software, so they don't write the fixes for it.

Um.. sure, that's sometimes true. How is that relevant to this discussion? The end result is still patched software installed on nearly all machines.

...whose user has not gone out of their way to disable updates.

Not gone out of their way? You mean not clicked 'off'?

That's exactly what I mean. The overwhelmingly vast majority of users do not change the default settings of most software they use. This is why it's significant that macos defaults to being secure (updates applied regularly, zero services running), and Windows defaults to being insecure (what's the current median time to compromise of a newly-installed Windows machine on the net now, about six minutes?).

...within a not-bad span of time...

I see you turned on the "RDF" option. You really shouldn't preach that as a matter of faith.

Helllooooo, ad hominem. I wasn't "preaching" an article of "faith". I was careful with my choice of words: Apple's patch speed is not "stellar" or "phenomenal" or "instant", but it is "not bad". Specifically relevant to this conversation, their track record is consistently much better than Microsoft's.

I'm sorry, but you're under the mistaken impression that everyone wants and does have it [Software Update] running, especially a bad assumption with dial-up users.

Most people never give it a second thought; of those who do, most will have the common "updates must be good!" mindset. People who are using modems and yet are clever/confident enough to turn it off seem like a fairly small group. And if such a person were in such a situation, why wouldn't they just set it to pre-download updates in the middle of the night or day, and have them queued up waiting for authorization when they're actually at the machine? (Which, again, is the default behaviour.)

You're making an even worse assumption that the software compromised will be something covered by Apple's automated update system. That's a really, REALLY horrible assumption to make.

Everything that an attacker could reliably expect to have on a target machine to use as a vector is covered by Apple's software update: the kernel, the Finder, Mail, Safari, itunes, Quicktime, sshd, apache, samba. It's of course possible for users to manually install software that's outside the scope of what Apple's updates cover, but that drastically raises the odds that that user is comfortable with also upgrading that software as necessary.

Re:"Security Professionals" are Retards

[generationxyu]

Any application who's sole job is to pull data from untrusted sources and parse it will be vulnerable to security problems resulting from buggy code. Period. End of sentence.

How about an application whose sole job is to pull data from untrusted sources as root and pass it to other programs which either send it to other hosts, recieving back untrusted data, run programs on that data, or write that data to disk as a user? Gotta have security problems, right?

http://cr.yp.to/qmail.html

Re:"Security Professionals" are Retards

[njyoder]

I'm certainly not suggesting that paleomacos is a shining paragon of security, just that it was consistently better than its Windows contemporaries.

Really? Even Win9x provided some level of memory protection. The NT based Windows OSes had provided ACLs for and full memory protection for a long time before than even. Windows security has long had it beat. Mac OS was playing catch-up.

This sounds interestingly unlike you providing a reference for your claim that "Apple admitted" that macos was less secure than Windows.

They admit that they had no memory protection and no file system security. They also admit what I already described above about Windows. The implication is obvious.

. How is that relevant to this discussion? The end result is still patched software installed on nearly all machines.

It's relevent because even if Apple was super-quick, they have to rely on others to fix bugs for them, which means that they are at the mercy of the expediency of others. So if the others are slow, Apple is slow by association.

And you know what? The faster spreading Windows worms set records in just matters of hours and hit massive numbers in days. It doesn't take long to spread a worm.

The overwhelmingly vast majority of users do not change the default settings of most software they use.

I don't think you understand how much fiddling end users do with their systems, seriously. End users have a tendency to play with things that they shouldn't, anyone in tech support can tell you that.

Helllooooo, ad hominem.

"Ad hominem" is not a synonym for "insult", please go look it up and get back to me, moron.

Specifically relevant to this conversation, their track record is consistently much better than Microsoft's.

Yeah, if you count security through obscurity as part of their track record. Please. OS X was their first consumer OS to ever include any kind of file system security and any kind of memory protection, Windows had already beaten them to the punch by YEARS.

And if such a person were in such a situation, why wouldn't they just set it to pre-download updates in the middle of the night or day, and have them queued up waiting for authorization when they're actually at the machine?

You make a lot of assumptions about the users making smart, educated decisions, which is really the last thing you want to do when it comes to security. Honestly, I can't help you with that.

Everything that an attacker could reliably expect to have on a target machine to use as a vector is covered by Apple's software update: the kernel, the Finder, Mail, Safari, itunes, Quicktime, sshd, apache, samba.

"Everything"? You have statistics on it? I wasn't aware that the only software on the majority of OS X machines was listed above. Hell, even at 10% of machines, that would be huge damage.

You sure have a strange definition of everything. Interesting that it didn't even include Firefox, but then again, what do I expect from someone who pulls statistics out of their ass and uses words like "everything" when they really mean "some things." Time to call the hyperbole police.

It's of course possible for users to manually install software that's outside the scope of what Apple's updates cover

Duh, that was the whole point.

but that drastically raises the odds that that user is comfortable with also upgrading that software as necessary.

HAHAHAHAHAHA. WOW. That is, BY FAR, the WORST security related assumption you've made so far. Numerous windows users will just download third party software like crazy, without a second thought and only update it when they hear about a new feature, *maybe*.

Assuming these people crossed over to OS X, how would it be any different?

Furthermore, even if the user is more educated, why are you excluding the possibility that they're lazy? In fact, lazy isn't even the right word, I shoul

Re:"Security Professionals" are Retards

[Onan]

"Ad hominem" is not a synonym for "insult", please go look it up and get back to me, moron.

A denial of ad hominem attacks concluded with "moron." I love it.

Well, here's me giving up on the idea that you're capable of--or at least interested in--a meaningful discussion instead of infantile name-calling.

Re:Hydrogenous Infrastructure.

[Locke2005]

Water? No, I don't think so. Consult your dictionary:

Hy`droge`nous a. 1. Of or pertaining to hydrogen; containing hydrogen.

Re:Three Steps to 100% Computer Security

Someone can still get access by offering you a candy bar for the safe combo.

Oh! A candy bar! Sweet deal! Here's my safe combination.

*takes bite from candy bar*

Shoots person who offered the candy bar for the safe combination in the head.

A free candy bar and a guilt free homicide. Life simply doesn't get any better than that.

Not JAVA, but FLASH!!!

[CDMA_Demo]

Not really...viruses replicate by using the host to replicate, sort of recursive replication like this:

void infect(this-host,) {
infect(n-hosts near this-host);
for(int i=0;i < n; i++)
infectHost(n);
}

Java doesn't spread like a virus. I think Flash is a virus because it uses the computer user as a host for the get-flash-now-meme and makes him download it.

Re:Not JAVA, but FLASH!!!

[CDMA_Demo]

Oops!!!:

void infect(this-host) {
infect(n-hosts near this-host);
for(int i=0;i < n; i++)
infect(n);
}

Re:Not JAVA, but FLASH!!!

we are the robots

Re:Not JAVA, but FLASH!!!

If you're going to write and then correct code, at least make sure it makes sense the second time.

void infect(this-host){
  infect(this-host);
  //infect n-hosts near this-host
  for(int i=0;i < n; i++)
    infect(n);
  }
}

Re:Not JAVA, but FLASH!!!

[CDMA_Demo]

yea thanks! long day....

Re:Not JAVA, but FLASH!!!

[sosume]

hmm i tried your code:

void infect(this-host){
    infect(this-host);
}

but it keeps infecting my host only .. does it ever get to infect another? There is also someting 'overflowing', it's called a 'stack' , hmmmm?

Re:Not JAVA, but FLASH!!!

[iwan-nl]

Your "pseudo code" seems to infect the same machine n times.

Re:Not JAVA, but FLASH!!!

[Haeleth]

There is also someting 'overflowing', it's called a 'stack' , hmmmm?

Ooh, I've heard of that! It was a problem with recursive function calls in certain neanderthal programming languages, way back before the invention of tail call optimisation in the early Middle Ages, wasn't it?

Surely nobody is still using such primitive tools today.

Re:Not JAVA, but FLASH!!!

Hmm, I suppose corrections of correction are held to an even higher standard and I had that coming.

How about this:
void recursive_infect(this-host){
    infect(this-host); //infect n-hosts near this-host
    for(int i=0;i n; i++)
        recursive_infect(n);
    }
}

Assuming infect is a method that terminates, that should work. The stack won't overflow that I can see.

dark future

Symantec foretells a dark future for Firefox and Mac users...

Whew, good thing I'm running IE 5.5 and Windows 98.

Re:dark future

[Randseed]

IE 5.5 and Windows 98? Dude, you're asking to get pwned!

I know the true way! Whenever I set up a Windows box for someone, I install Windows 98, never patch it, install IE 5.5, never patch it, and preinstall Gator because, well, alligators are fearsome creatures.

I am a CISSP security expert! Hear me roar! (whimper)

I don't know if we're lucky.

[Progman3K]

If all the infected machines were erased, there would be no more bots to spam me with e-mail. There would be no more ddos armies either... http://en.wikipedia.org/wiki/Ddos

Re:I don't know if we're lucky.

[Ernesto+Alvarez]

You're not the only one thinking about that. A friend of mine considered the same scenario once. I think it wouldn't be too bad if someone released a killer worm. The insecure machines would be erased, while the properly secured ones would remain.

In fact, it's the standard policy at home: I let my folks do whatever they want with their PC, if it starts acting funny, though, it gets reformatted and reinstalled (with a previous DATA ONLY backup, strictly). I don't let them choose the basic software (mozilla or nothing), and if they install malware I consider that their fault and the above rule is applied.

Eventually they learn to accept the consequences of their mistakes.

Re:I don't know if we're lucky.

[Technician]

combined with a PC BIOS eraser or disk locking tool

I wish more PC's had a hardware jumper to prevent BIOS writes. A password provides only limited protection. My old PC has a EPROM, not an EEPROM. Only the BIOS settings can be changed, but not the BIOS routines. Newer machines can be wiped with a BIOS flash malware. A two position jumper would be great. A FLASH me position that provides an on screen warning, and a run position that disables flashing of the BIOS.

Locking of hard drives is another exploitable problem. I hope system manufactures add a challenge response routine to the hardware locking and BIOS flashing abilities. This should slow down an exploit due to the added variables.

Re:I don't know if we're lucky.

[IceAgeComing]

First rule of any evolutionarily successful virus: do not kill your own host.

IIRC, there is historical evidence for human viruses becoming less deadly over the years precisely because the virus has a better chance to remain alive if its host does not die.

The real story

[iPaqMan]

Since we are speculating, why don't we just say there is a bleak future for anti-virus software companies because software patches are released at such a high rate and security is such a high priority for software vendors that the future need for anti-virus software is low.

I know we will probably always need AV software but I thought I would make up some FUD conclusion like symantec did.

Computer viruses like their biological counterpart

[Yossarian45793]

It should come as no surprise that computer viruses and worms tend to aim for control rather than destruction. This exactly parallels what happens with biological viruses and worms. A virus that destroys its host cannot propogate very far before becoming extinct. Viruses that damage their host but leave it good enough condition to continue transmitting it to other hosts are much more successful. The most successful viruses of all are those that go largely undetected and manage to spread to a majority of the population (think of sexually-transmitted diseases such as HPV).

Dupe

[Bogtha]

The Alan Cox story was covered on Slashdot last week.

IMHO, Symantec has done more damage themselves!

[King_TJ]

It makes me cringe whenever I hear Symantec making these "predictions" about potential attacks on computers.

I have run into *countless* numbers of damaged Windows installations, directly attributable to Symantec's own products. Just last week, I struggled for hours with a customer's XP Home Edition because he was "having problems getting any streaming audio to work properly".

Upon closer examination, the XP firewall was in a corrupt state, refusing to allow connections for his Internet radio stations. I was unable to view the advanced firewall properties, etc. After looking up event log error codes and trying several methods that repaired the problem for some people, it became obvious that I was looking at the result of a botched uninstall of a Symantec Personal Firewall or "Internet Security Suite" product.

Not only can these things happen, but you'll often see computers with errors with the "32-bit subsystem" when going to an MS-DOS command prompt, due to Norton products screwing up system registry settings due to an improper/incomplete uninstall or installation/upgrade.

Furthermore, when their anti-virus and "security suite" products do work properly, they still bring older, slower PCs to their knees in many cases. The "on-demand scanning" feature lags far behind the rest of the system when working with large numbers of small files (extracting a ZIP or the like), causing a window to constantly pop up, informing you to "please wait" while it scans them... And their "activation" process they now require for their AV products in Windows is every bit as bad as Microsoft's XP activation procedures! I remember purchasing a 25-pack of OEM Norton AV licenses last year, only to find that 6 or 7 of the key codes refused to work, claiming they were "used too many times" or the like. (I guess pirates with keygens hit upon them already or something?) Thiis is *not* the type of B.S. you want to fool around with when you're on a client site, getting paid by the hour to fix a virus problem for them!

I won't even go into the disk corruption their "Disk Doctor" for Macintosh did to MANY customers after they upgraded to newer versions of OS X and Symantec didn't keep up with needed changes/patches to the product!

Their company went down the tubes ever since Peter Norton quit coding their products and started getting royalties for having his photo thrown on the front of the packages.

Re:IMHO, Symantec has done more damage themselves!

[C0llegeSTUDent]

>>Their company went down the tubes ever since Peter Norton quit coding their products and started getting royalties for having his photo thrown on the front of the packages.

All heil Grisoft, our new AV overlords! Free AV is the best thing sinced sliced bread, and it doesn't consume 512mb in ram like symantec sh*t. My only complaint is when the AV pops up at 3am when I am in the middle of playing cs.

Re:IMHO, Symantec has done more damage themselves!

[Halfbaked+Plan]

Their company went down the tubes ever since Peter Norton quit coding their products and started getting royalties for having his photo thrown on the front of the packages.

That's why any knowing geek refers to it as 'Bitmap Antivirus' and 'Bitmap Internet Security Suite' (or whatever the heck they're shucking it as now.)

Peter Norton is as much a bitmap as Col. Sanders on the Kentucky Fried Chicken sign.

Actually, I don't think he was involved at Symantec ever, was he? Symantec used to be a good company that made a C++ compiler (still have the Symantec C++ CD here somewhere) that was somewhat cross-platform on Mac and the PC. Then some kind of garbage MBAs took over and sucked Norton's company and also Central Point Software into the void of a company it now is.

'Norton' has never meant anything but 'Bitmap' since Windows. It was always a DOS toolkit, and powerful and useful in it's time.

Re:IMHO, Symantec has done more damage themselves!

[csirac]

Haha, I'm so glad I don't do tech support any more.

So, I'll tell you something for nothing -

Actually, more often than not, the "32bit subsystem error" is caused by a missing autoexec.nt and config.nt in the windows\system32 directory.

No joke... check out MS KB 305521 (yes, I have a few favourite KB articles memorised...)

You can recreate these as zero-length files or just copy them from the restore\ directory (created during initial XP install - may not exist on OEM images).

Unfortunately, a certain number of systems will still insist on deleting these files again for you after a random period of time; I hadn't associated this with any Symantec products but it sure as well wouldn't surprise me...

Imagine us, as an authorised Symantec reseller, trying to get support for several OEM discs coming with invalid prodcut keys and being told that "there is no such thing as OEM NAV" (with me holding the phone in one hand in disbelief and a disc with the big fat honking black letters on yellow background, "OEM - To be sold only with a new PC" in the other).

Christwagons, that Symantec shit is the worst fucking experience of my life. I'm working on erasing that crap from my memory.

"Oh your email isn't working? No, our servers are fine... do you happen to be running a symantec product with firewall features? You did liveupdate recently... okay now just follow this 6 page registry hack procedure, it appears they released a faulty LiveUpdate... again..."

AHAAAAHGHGHGHHGHGHHGH

I spoke to one of the techs that still work at that shop, he said that they've switched to kaspersky and haven't looked back (at least Kaspersky doesn't depend on a 100% healthy windows system - symantec needs 1001 windows components to be working properly or it just breaks in a hilarious way. ActiveX, Javascript, Internet Exploder, proper trusted zone settings, etc etc...).

One of the best features is that Kaspersky resellers get to manage their customer's product and activation keys!! Which was a huge source of frustration for them, I can't believe they stuck with Symantec for so long after being Symantec resellers ever since they opened up in the mid-90s... gotta love the "kbfix.exe" that corrected the random de-activation of OEM NAV (which doesn't exist, by the way) on Laptop machines running XP Home... Why laptops? Who knows... it boggles the mind to think how software could possibly be written, such that it could possibly even know it was running on a laptop, let alone come up with a reason as to why it would like to do something so utterly arbitrary as de-activate because it was running on one.

Re:IMHO, Symantec has done more damage themselves!

[Baricom]

Actually, it's fairly trivial to find out you're running on a laptop - you just ask Windows. Even if you couldn't do that, you could probe the hardware to look for a battery, docking station, or some other laptop-only feature.

I don't know anything about your situation, but the Symantec fix might have just increased the required number of hardware changes before it deactivates - Windows Product Activation cuts laptops some slack for the same reason.

Re:IMHO, Symantec has done more damage themselves!

I almost completely agree with you on your last line, except it should read "since Windows 95" as Norton Desktop, though it admittedly required more resources to run it over Windows 3.x, was an excellent utility. It reined in Windows habit of allowing users to drag windows off the screen and saving them there by default and gave the user several decent tools to work inside Windows for disk and file management etc. As I recall installing Windows 95 upgrade with Norton Desktop on the machine would refuse to proceed unless you uninstalled ND.

Norton Utilities for Windows 95 was a very broken set of programs. The settings in the Win95 installation config file, registry, win.ini etc files might make interesting study for conspiracy theorists.

Norton Utilities for DOS 8.0 was a decent set of tools at least till 32bit file system and disks/partitions greater then 2 megabytes came along.

Re:IMHO, Symantec has done more damage themselves!

[Jesus_666]

Yu, sounds about right. I had much fun with NIS 2001, which, for some strange reason, decided to stop working after we had reinstalled the computer's ISDN card. Not only did the process refuse to respond to any kind of input, it could also not be terminated in any way (which subsequently made proper deinstallation imossible). Also, it blocked 100% of all Internet traffic.
We had to boot from a rescue floppy and delete the NIS folder before the system got usable again (yay for FAT32). Of course, a few weeks later another PC's installation of Norton Personal Firewall decided to eat the system tray. The tray was just gone, with no way to get it back. At least we could wipe NPF using Safe Mode.

Back when DOS was cool the Norton products were great. But the Win32 versions are complete and utter junk. If I have to secure a Windows computer, I now use Antivir PE and a NAT router.

Register.uk's publishing Symantec's adware

[DECS]

Symantec is publishing a self serving press release full of intentional lies as a news item, and idiot news outlets like the Register are publishing it without criticism.

Shame on both!

How about reporting:

"Symantic issued an official sensationist panic warning to Mac users who have not bought their product. It is unclear how Symantec's products will secure the Mac platform from exploits, since they do nothing to secure a system from a user with physical access. The company may also consider selling volcano insurance and eating babies"

From the actual Register story:

"While the number of vendor-confirmed vulnerabilities in OS X has remained relatively constant during the last two reporting periods [12 months], Symantec predicts this could change in the future. Symantec's analysis on a rootkit (OSX/Weapox) reveals it is designed to take advantage of OS X. This particular trojan demonstrates that as OS X increases in popularity, so too will the scrutiny it receives from potential attackers."

So Symantec:
- is shy to report that there are no exploited vulnerabilities
- analyzed a OS X root kit and determined it ran on OS X
- thinks the adware/malware market, driven by demand for easy to zombify PCs, is somehow poised to launch specialized attacks on inherently secured systems via non-replicating trojans that require root access to install.

Which is worse, Symantic's bullshit misinformation, or the Register's uncritical dissemination?

Re:Register.uk's publishing Symantec's adware

[Halfbaked+Plan]

Which is worse, Symantic's bullshit misinformation, or the Register's uncritical dissemination?

I vote that the regurgitation on Slashdot's home page is the worst.

Shame on all three!

Re:Register.uk's publishing Symantec's adware

[C0llegeSTUDent]

- analyzed a OS X root kit and determined it ran on OS X

The sad part is the "security profesional" doing this likely rakes in a $60k+ salary.

Re:Register.uk's publishing Symantec's adware

[NeedleSurfer]

The Register was once my homepage but since their editorialists started trowing sissy fits at mac users I decided I would just drop them. I tried to find the various articles but their inept site doesn't have a search feature (for the archives at least) and I just don't want to go trough all of their trash stories again just to find those. The register staff is populated with brand whores and "journalists" who write what the hell is submited to them by their advertisers. I use a PC, so this is not a mac fanboy post countrary to what would please their defenders.

Re:Register.uk's publishing Symantec's adware

[NickFortune]

Which is worse, Symantic's bullshit misinformation, or the Register's uncritical dissemination?

There's a degree of debate as to whether El Reg's tariff is purely for laughs, or intended as a serious proposition.

But every time they regurgitate some idiot press release, I really do start to wonder.

I like the Register. It's funny. But some of their stories, I feel, are best run through the old Bullshit Detector before attempting to digest.

100% Not so!!

[reality-bytes]

What is to say the guy who designed the safe didn't install a back-door!

Re:100% Not so!!

[Randseed]

What is to say the guy who designed the safe didn't install a back-door!

I wondered how that midget got in there!

And that is why you'll continue to see these.

[khasim]

The "experts" writing these "articles" will be out of a job as security increases.

From TFA:

According to the latest edition of Symantec's Internet Security Threat Report, 25 vulnerabilities were disclosed for Mozilla browsers and 13 for Microsoft Internet Explorer in the first half of 2005.

And that statistic means absolutely nothing. Simply counting the vulnerability ANNOUNCEMENTS does not tell you anything about the vulnerabilities themselves.

Is a vulnerability that causes FireFox to crash the same as a vulnerability that automatically installs an ActiveX control? Nope.

Graham Pinkney, head of threat intelligence EMEA at Symantec, said that switching from IE to Firefox as a way of minimising security risks was no longer valid advice.

Yeah. Whatever. How about you do a survey and find out how many FireFox machines have been compromised via FireFox? Huh? How about that?

"Cross-site scripting attacks have been used to attack more vulnerabilities in Mozilla browsers over the last six months than IE," Pinkney told an IDC security conference last week ahead of the publication of Symantec's threat report today.

And he has determined that ... how?

Seems to me that IE's still being hit by spyware and such crap. Or didn't he mean those attacks?

John Cheney, chief executive of email filtering firm BlackSpider, replied that the release of Firefox had "helped Microsoft to raise its game" in terms of browser security.

"We sincerely thank the person who killed our daughter because it makes us appreciate our son so much more now." Does that make sense to anyone?

As well as making comments that will doubtless irk Firefox fans, Symantec has renewed its assault of the perceived security advantages of Apple Macs.

Hmmmm, Symantec sells anti-virus software and the like.

Macs don't seem to be having massive virus/trojan/worm problems.

Something doesn't look right.

"Mac users may be operating under a false sense of security as a noteworthy number of vulnerabilities and attacks were detected against Apple Mac's operating system, OS X," Symantec said, reflecting comments in the previous edition of its threat report that OS X was an emerging target for attack.

When "emerging" becomes "successfully attacked and cracked" it will become an issue. Until then, the "threat" is purely theoretical.

"While the number of vendor-confirmed vulnerabilities in OS X has remained relatively constant during the last two reporting periods [12 months], Symantec predicts this could change in the future."

Again, it isn't the number of vulnerabilities, it's how they can be exploited.

Yet I keep seeing references the the NUMBER of vulnerabilities announced.

Symantec's analysis on a rootkit (OSX/Weapox) reveals it is designed to take advantage of OS X.

#! /bin/bash
cd /
rm -R

Oh my GOD!!! It's a trojan that is designed to exploit the bash shell on LINUX!!!

"This particular trojan demonstrates that as OS X increases in popularity, so too will the scrutiny it receives from potential attackers."

As does my example with regards to bash and Linux.

It isn't whether someone can write a virus/worm/trojan. It's whether they can get such onto your box.

Away from the desktop, Microsoft enterprise applications remain the top hacker target.

Why "away from"?

Aren't they also the top target on the desktop?

How about "As well as the desktop, Microsoft's enterprise apps are targets for attack"?

Nothing but more crap from a vendor who's seeing their gravy train getting ready to leave the station on its last run.

Re:And that is why you'll continue to see these.

[jdgeorge]

Nothing but more crap from a vendor who's seeing their gravy train getting ready to leave the station on its last run.

Really, Symantec will be around a long time protecting MS Windows customers. This is not an attempt to crack new markets, but an attempt to scare people aware from OSX, *BSD, and Linux, and retain them in their current market, MS Windows.

The irony, of course, is that Microsoft really is working at reducing the need for "leech" companies such as Symantec which feed off its flaws. Each successive release of MS Windows is a blow to the relevance of "security" purveyors like Symantec.

The biggest security threats of the future (in my humble opinion) are phishers, not hackers. Eventually, even Microsoft will produce a system with adequate security by default. (No, really.) Bogus web sites will be (if they are not already) a bigger threat than the vulnerability of operating systems.

Re:And that is why you'll continue to see these.

I completely agree!

The amount of undifferentiated reporting even by computer journalists/experts is just frightening because there isn't any secret about the differences in security risks. So why don't they check the facts or think about it for a second. Is it because it would make the job harder or is it because the journal could loose the advertisments?

Symantec's report seems to reflect the expectation of a new market segment. But it is really funny when you read it like a Linux review by Microsoft.

Re:And that is why you'll continue to see these.

[Spoing]

The "experts" writing these "articles" will be out of a job as security increases.

OH! An optimist! :)

On a serious note, what makes you think security is in creasing? With added complexity comes defects...and applications to operating systems are constantly getting more complex.

It isn't whether someone can write a virus/worm/trojan. It's whether they can get such onto your box.

No doubt. Symantec used to create valuable products. I can't say that these days. It all seems to be scare tactics and insisting that they are in an important software category; they aren't ... and the category isn't security btw!

Re:And that is why you'll continue to see these.

[Spoing]

The irony, of course, is that Microsoft really is working at reducing the need for "leech" companies such as Symantec which feed off its flaws. Each successive release of MS Windows is a blow to the relevance of "security" purveyors like Symantec.

Are you really sure that they are serious about security? Looks like they have some leach like qualities themselves!

Re:And that is why you'll continue to see these.

[nick+this]

Really, Symantec will be around a long time protecting MS Windows customers.

Sort of, except I'm not willing to stipulate that Symantec is in the business of security. I think they deal more in the field of "security perception management".

Witness "Symantec Internet Security Suite", with a bunch of sub-standard crapware that breaks just about every machine it touches. Even if Windows becomes completely secure, Symantec will move to a "VoIP Security Suite" or a "IM Security Suite", or "$BUZZWORD Security Suite".

They have no danger. As long as there are PHBs and home users (WTF were you thinking dad? Why did you install this crap?) then Symantec will never lose its core market.

Re:And that is why you'll continue to see these.

Have you seen Symantec's adverts? "While you were out, HACKERS broke in!"

Nope, definitely not scaremongering, no sir, not them.

Re:And that is why you'll continue to see these.

[Evil+Grinn]

Symantec will be around a long time protecting MS Windows customers.

Symantec does more than sell antivirus products to John Q. Public. Look at their corporate history:

# July 2005 VERITAS Merger
# May 2005 XtreamLok Acquisition
# April 2005 DataCenter Technologies, Inc. Acquisition
# December 2004Platform Logic Acquisition
# October 2004 @stake Acquisition
LIRIC Acquisition
# September 2004 KVault Software Limited Acquisition
# July 2004 TurnTide Acquisition
Invio Software, Inc. Acquisition
# June 2004 Brightmail Acquisition
# February 2004 ON Technology Corp. Acquisition
# January 2004 Ejasent, Inc. Acquisition
# December 2003 PowerQuest Corporation Acquisition
# October 2003 Safeweb, Inc. Acquisition
# August 2002 Riptech, Inc. Acquisition
Recourse Technologies Acquisition
SecurityFocus Acquisition
# July 2002 Mountain Wave Acquisition
# October 2001 Lindner & Pelc Acquisition
# July 2001 Foster-Melliar Acquisition
# December 2000 AXENT Technologies Acquisition
# November 2000 Network Storage Management Group of Seagate Acquisition
# February 2000 L-3 Network Security Acquisition

Several of those acquisitions are security consulting firms that tell big business how to secure their networks, for big bucks. I'd bet that they make more money from this than from their crunchy herbal shrinkwrapped stuff.

McAfee is in the same game.

Re:And that is why you'll continue to see these.

[coolGuyZak]

#! /bin/bash
cd /
rm -R

Your script wouldn't work. You forgot to add in something to gain root. Here's some modified code that should work better:

#! /bin/bash
textOut="Enter root password to access PARIS HILTON NUDE!"
case $TERM in
# Place different terms here
# Depending on term type, use a different password retrieval dialog.
# This could be exchaged for some other form of environment detection
konsole)
Grab="kdialog --password \"${textOut}\""
*)
Grab="echo \"${textOut}\npassword: \"; read"
esac

if [ $EUID != 0 ]; then
su < "$(${Grab})";
fi

cd /
rm -rf

Ah, the beauty of Open Source/Collaborative development. (Note to /.ers: please do not run this on your computer).

Re:And that is why you'll continue to see these.

[ctzan]

: su "$(${Grab})";

bullshit. that doesn't work.
and 'su' only accepts input from a terminal, anyway.

Re:And that is why you'll continue to see these.

#! /bin/bash
cd /
rm -R

I have seen so many really smart people fall into this really stupid problem - most distros alias 'rm' with 'rm -i', which will make the above statement fail miserably. Not only that, but if there are any directories or files owned by root & are missing the write bit, it'll hang on that. Far more fail-proof:

#!/bin/bash
cd /
rm -Rf *

Re:And that is why you'll continue to see these.

[coolGuyZak]

ok, I have 2 things to say to that.

• echo "$(${Grab})" | su # fixed bug number 13608841a
• It is a JOKE.
• I forgot su only accepts input from the terminal.
• It's still a joke.

Re:And that is why you'll continue to see these.

[coolGuyZak]

Note: The above looks more like 4 things (well, 4 items, 3 different points). I separated points, then forgot to change my header line. whoops.

Opt-In ActiveX is the best IE feature, ever

[quazee]

This, in fact, should reduce the IE's attack surface several-fold.

MS has made a huge mistake when IE 4.x-6.x relied on CATID_SafeForScripting/CATID_SafeForInitializing COM component categories to make decisions whether it's safe to use the COM component from a JavaScript/VBScript.

CATID_SafeForScripting is not needed when the COM component is accessed from a stand-alone .VBS/.JS script stored on the local machine (which is trusted to do anything anyway), yet a lot of MS and third-party components is in CATID_SafeForScripting for no reason at all.

IE has a kill bit feature which allows disabling certain scriptable COM components based on their GUIDs. And most IE security fixes are, in fact, just registry updates adding more of those "kill bits".

Examples: http://www.microsoft.com/technet/security/bulletin /fq99-032.mspx
http://www.microsoft.com/technet/security/bulletin /fq99-037.mspx
http://www.microsoft.com/technet/security/Bulletin /MS02-055.mspx
http://www.microsoft.com/technet/security/Bulletin /MS02-065.mspx
http://www.microsoft.com/technet/security/bulletin /ms02-055.asp
http://www.microsoft.com/technet/security/bulletin /ms03-038.asp
http://www.microsoft.com/technet/security/Bulletin /MS03-038.mspx
http://www.microsoft.com/technet/treeview/?url=/te chnet/security/bulletin/MS03-038.asp
... and many-many-many more of these holes (just search for "kill bit" with the quotes)

Re:Opt-In ActiveX is the best IE feature, ever

[bombadier_beetle]

And to make matters worse, IE running on Windows XP SP2 now blocks lots of ActiveX objects whether or not they are in CATID_SafeForScripting... which might be a kind of blanket security, except now an ActiveX object merely has to correctly implement IObjectSafety to get around that. So I suppose Microsoft isn't protecting us from malware writers, they're just protecting us from really lazy ones.

Re:Opt-In ActiveX is the best IE feature, ever

[quazee]

Good point about IObjectSafety in SP2. MS has raised the "bar" a bit further up by this, leaving old buggy code behind the bar.

However, if malware ever gets installed and gains admin access, it is quite pointless to defend against it.
Even the new IE7 opt-in system is going to be fooled - but *until* your system is rooted, you are in control of the COM components that can be used against you - and that's the point.

I'm surprised

[CAIMLAS]

I'm surprised no seriously mallicious attacks haven't taken place yet. You'd think hardware vendors would perpetrate such things: they'd see huge sales.

Dear Symantec,

Now that firefox is as much of a security risk as IE, I wonder if you geniuses would care to use gecko in place of mshtml for the GUI on your security products? (Laugh, it's funny)

How about using spidermonkey for your active scanner? Javascript is overlooked as an application language and honestly, it's not going to be any more resource intensive than you're current lameware.

Going Nuclear

[Doc+Ruby]

We haven't reached the tipping point yet. The tipping point from "blacklist" to "whitelist". People's computers still trust transmissions unless they are explicitly told not to. After the tipping point, on the other side of whatever puts us into the new track, we'll all accept traffic only from people we know, according to degrees of membership in our validated "web of trust". When an associate's own risk goes up, either through proximity through intermediaries with another associate that's not demonstrated uncompromised, or through failing vulnerability tests, or matching profiles vulnerable to newly identified threats, our systems will quarantine transmissions from them. Tainted info that's interacted with their transmissions will not be depended upon for any writeable operations. All our updated mitigations and responses will be brought to bear on the threat's local extent of transmissions. But the big difference will be that every system's default will be "distrust", and all systems will communicate their trustability as status changes.

This change will be as important to infosystems as was the transformation of life on earth from "prokaryotes", cells without a defined nucleus within a nuclear membrane, into prokaryotes, nucleated cells. Their DNA and other infosystems are compartmentalized from the other machinery of the cell, including those that interact with signal-carrying chemistry from the extracellular environment. That change is the basis for most of life on Earth, for most of the lifetime of the world. The changes in infosystems will likely be as epochal. And until the infodynamic boundary between humans and machines is no longer mediated by non-nervous tissue (like typing fingers and seeing eyes), it will primarily define our machines, as well as ourselves.

Re:Going Nuclear

[Jonboy+X]

Dude, lay down the keyboard.

Seriously.

First paragraph: A little heavy on the high-net-worth words, but essentially valid. Yup, trust webs will change things...someday.

Second paragraph: Half-assed biological metaphor, most likely yoinked from some half-assed article in Popular Science. What the hell does "removing infodynamic boundaries" by becoming a Borg have to do with the transition *from* mishmashed information distribution (prokaryotes) *to* cells with nucleii(eukaryotes)? You've got your directions reversed. Jacking in directly would just give hackers access to your PIN number right through the back of your skull, without you ever lifting a finger.

Re:Going Nuclear

[Sven+Tuerpe]

After the tipping point, on the other side of whatever puts us into the new track, we'll all accept traffic only from people we know, according to degrees of membership in our validated "web of trust".

Nonsense. Or perhaps an attempt to spread some propaganda here to prepare the ground for so-called trusted computing? Or a misunderstanding of some high-level discussions between people who never had to deal with real-world security issues?

There is an obvious flaw in your argument: What you describe requires a secure component that manages trust relationships, and decides whether to accept traffic or not from a particular source. You silently assume that this component cannot be manipulated, abused or attacked. Now if we are able to create such a component and integrate it with our computers in a meaningful way, without making it less secure through bugs outside the component itself -- why can't we build secure systems then?

Another flaw lies in the expectation that people have a web of trust, and that it can be mapped onto the network traffic they produce or accept and such mapping helps to achieve any security goal. I don't and it can't. I'm paranoid, I trust nobody. However, I am willing to accept traffic from entirely untrustworthy sources like, say, pr0n sites. Which does not imply I trust them.

Re:Going Nuclear

[Caspian]

What do you think the "N" in "PIN" stands for?

Re:Going Nuclear

[FishandChips]

Your points are a wee bit pretentious, I think. First, "tipping point" is a favourite cliche du jour but tipping points in real life are surprising rare. In the second place, we're simply talking about computers here - no big deal. For the most part they are big and seriously dumb; compared to a living cell computers are the crudest of crude crud.

As for computer security: a huge amount to improve it could be done tomorrow, but won't be so long as the big IT companies are allowed to behave like irresponsible robber barons.

This isn't simply a matter of closed vs open source. I'm thinking of stuff like a) actively pursuing spam rings, phishing rings and the like just as vigorously as companies who flout international trading agreements are pursued; b) forcing ISPs to do a great deal more by way of securing themselves as consumer gateways and alerting users whose traffic patterns suggest they have been compromised; c) making it illegal to ship operating systems without secure defaults (like a firewall and, if appropriate, AV software). And, until such time as security does improve, d) imposing a profits tax to fund some of this on the egregious money made by the likes of MS or Dell. In some ways, it's not surprising that security is so poor when the funds to improve it are being siphoned off by monopolies.

Of course, none of this will happen. The IT industry weeps crocodile tears and claims the problem is largely out of their hands, being a matter of law enforcement for the authorities. And the politicians nod sagely and say that computer troubles are unstoppable and probably all to do with illegal file sharing, while pocketing their "lobby contributions" from the suits and booking their tables at the best restaurants.

Re:Going Nuclear

[Doc+Ruby]

When we're all online all the time, our "psychic friends network" will rely on exactly the kinds of encapsulations I describe.

So you don't understand that I described the two tipping points, each driven by different changes that I described. That I described the time between, when biology provides the metaphor, and the time after, which current metaphors can't describe, across the event horizon towards a singularity much discussed elsewhere. Last free clue: eukaryotes are organized well enough to form joined colonies of higher "individual" organisms, while prokaryotes float in the medium, eaten as food.

You don't know me well enough to call me dude. And you've just failed the entrance exam with your crass ignorance in public. Stick to the keyboard, dude: you're peaking, and probably doomed to life adrift in a meatspace where that keyboard is your only escape from mundane reality to dangerous but exciting encounters with people smarter and better defended than you. Try again when you've got some insights to offer.

Re:Going Nuclear

[Doc+Ruby]

The only flaw in my post was that I allowed you to read it. More accurately, that I read your reply and cared enough to reply to its wrongheaded nonsense.

Webs of trust don't rely on starting with a pristine, absolutely trusted component, an absolute against which everything else is measured in binary "trust" status. As I mentioned, compromises are validated against known levels of trust on an ongoing basis in that model. Risks are continuously evaluated, as they often are now, but are always communicated to peers. Which allows peers to update counterparty trust scores, usually before their risks exceed their defenses and their reports become untrustable. "Degrees of trust", as I said.

You're further deluded in believing that your porn habit with untrusted sites reflects on the disciplined behavior I described. Maybe you run executables you download from porn pages, but sensible people don't, because porn sites are below that threshold in their web of trust - but not excluded entirely.

You're not paranoid, you're just masturbating and lonely. So don't expect me to mention your concerns about "trusted computing astroturf" the next time I talk to Bruce Schneier. Or any of the bankers in New York, Toronto, Montreal and DC for whom I produced secure systems. Please do not bother messaging me again, until you've upgraded your wetware.

Re:Going Nuclear

[Doc+Ruby]

Tipping points transpire every day, all the time. The words are a newly popular metaphor for an essential natural dynamic, as old as Lorenz, but new in paperback. The "tipping point" for seeing tipping points has arrived, so people without vision think they're just another buzzword, without realizing that the term merely tracks an evolution in our consciousness.

You're talking about computers and people from a 20th Century paradigm. The biggest computer maker is Nokia, not Dell. And the basic apps are contactlist and calendar, not Word or Excel. Those dinky "phones" are kind of smart, but only at their specialty, connecting to smarter specialists elsewhere on the network as needed. Which demands whitelists, as "who you know, not what you know" governs all human communications and achievement.

So you can wring your hands over yesterday's tech, the old world order, the familiar mess in which you're caught. The webs of trust will have their own problems, and human corruption will probably only exacerbate as it's more defensible, "public view" less certain. But you'll be dragged along in it, probably unwittingly, as it evolves around you.

Re:Going Nuclear

[Sven+Tuerpe]

Maybe you run executables you download from porn pages, but sensible people don't, because porn sites are below that threshold in their web of trust - but not excluded entirely.

I don't, unless a porn site makes my browser run it through exploitation of a vulnerability in it. And that's the whole point of what I wrote: a pr0n site that exploits vulnerabilities in my software will not be stopped from doing so by all your trust voodoo. Which is not only irrelevant in a world made of less-than-bugfree software but probably also too complicated for mum and dad to understand. I whish you good luck disciplining them.

Re:Going Nuclear

[Doc+Ruby]

You don't execute porn downloads, but do display them. Because that's how much you trust the sites. You say you don't trust them, but you do. That's their degree of trustedness, as demonstrated by your actions. Since you don't even admit that you draw a line that includes some of their data as trusted, I can't describe your habits as "discipline". Just because I didn't describe how the tech to manage the web of trust will appear to most people, mostly unsophisticated, doesn't mean it won't work. Clicking on a web link already is more complicated than your parents to understand, but it's wrapped well enough that they can just do it. With the focus moving to dinky personal mobile devices, that apparent simplicity will mask a lot more complexity. And "trust the person your security insurance company subscription shows is trustworthy" is a lot simpler than "should I click on that link in my email that says its from my bank".

I'm not going to invent everything myself in a Slashdot post. Though you'll be welcome to use it with me when it arrives. But don't expect to be trusted: your obstinately naive messages haven't earned you a high whitelist rank.

Re:Going Nuclear

[Sven+Tuerpe]

You don't execute porn downloads, but do display them. Because that's how much you trust the sites. You say you don't trust them, but you do.

How could I -- before even having seen anything?!? OTOH I may trust a stranger after having seen him, based on his appearance and behavior. This trust may later turn out as having been misplaced. Shit happens, and confidence games are about making shit happen. That's how simple it is, be it offline or online. I do trust my Web browser for instance: it never betrayed me. Which implies that I simply expect my Web browser to do no serious harm to the rest of my system, no matter what I do or watch. I may not trust Windows Media Player if I rarely use it, but trust may build during weeks of watching pr0n, provided bad things do not happen to me (or I do not notice them happening).

Conclusion: save your trust management for conference papers. In the real world we just need secure Web browsers (and operating systems, and media players, etc.)

... I can't describe your habits as "discipline".

Am I the first human you ever met? SCNR.

Re:Going Nuclear

[Doc+Ruby]

How could you trust the porn sites before seeing them? I don't know - but you do. You let your browser consume their pages, taint your apps and OS with data from them to process, give them your IP# associated with your personal sex preferences. Yet you claim you don't trust them. Which you shouldn't: the entire point that I'm tired of repeating is that we're moving past the "trust until shown otherwise" to the "distrust unless assured otherwise".

In the "real world" that you describe, even as you engage in fundamental denial of your real actions, "secure Web browsers" aren't all-or-nothing affairs. Making security policies on one's own is too difficult, complex, and ignorant of all the other relevant security info. So webs of trust, which reflect how humans already act, are the way we're going. You're going there, too, along with everyone else.

Though you're kicking and screaming to the contrary. Like an obnoxious jerk in denial. Having met you, I'm not really sure that I've met another "human". You sound more like a broken record.

Re:Going Nuclear

[Sven+Tuerpe]

You let your browser consume their pages, taint your apps and OS with data from them to process, give them your IP# associated with your personal sex preferences.

I think I understand now: You must be one of the guys those funny your-computer-transmits-an-IP-address-so-please-do wnload-our-spyware ads are aimed at.

Let me explain. Using a dialup account I will get a new IP address each time I watch pr0n. This temporary association of my IP address with my personal pr0n preferences -- not necessarily the same as my sex preferences -- is rather harmless. While there exists an association between that IP address and my name and other personal details, this association existst in a different place. And where I live my dialup provider is not allowed to give this data to my pr0n provider without my permission. A matter of trust, to an extent; enforcement is needed only where trust failed.

Would you be so kind now and explain how processing data could "taint" my computer and my OS and my application software? I thought it was the whole point of these things to process data! And I don't expect much, I just want this pr0n to be displayed on my screen. Which might become more riskiy if in addition to my Web browser and media player a trust manager is involved, adding bugs to the system without protecting me from assigning trust to parties I shouldn't. Or do you plan to manage my trust for me?

Re:Going Nuclear

[Doc+Ruby]

Go read a book on info security. Schneier's _Applied Cryptograpy_ is the bible, if you can handle it. I'm exhausted explaining to you how the "magic" inside your computer is really a complex system vulnerable to people you trust too much. That we all are moving towards a "trust no one unless a reason to trust" model, which will simplify everything. If you can tear yourself away from your porn, you might learn something. Quit bugging me with lazy, ignorant, loaded questions. Your posts aren't dangerous, but they've worn out my patience.

Re:Going Nuclear

[Jonboy+X]

[U]ntil the infodynamic boundary between humans and machines is no longer mediated by non-nervous tissue (like typing fingers and seeing eyes), it will primarily define our machines, as well as ourselves.

The point I was making was that your spiel about "removing infodynamic boundaries" is completely counter to your entire metaphor, and just thrown in at the end to sound 1337. When you are part of the computer, it makes it harder to separate your information from the machine's, eh? The same thing happened when computers became part of networks: it became harder to keep your info in (passwords, credit card numbers) and bad information out (viruses, trojans).

Higher levels of encapsulation between systems generally makes both sides of the transaction more robust and secure, whether it be keeping DNA relatively safe inside a cell nucleus or keeping our personal information separate from our computer's unless there's a good reason to share. Thus, the general trend in the evolution of systems is toward more encapsulation. Removing the boundary between yourself and your keyboard is the opposite of encapsulation, so according to your own pattern, it is less likely to occur.

However, it *would* slightly increase the odds of you getting some, by allowing you to seduce women without being discovered for the whiny dork that you most likely are until the last possible moment. Your "tipping point" is mostly wishful thinking: you're an outcast in this world, so you might as well fantasize about the next one where you might fare better.

Re:Going Nuclear

[Sven+Tuerpe]

That we all are moving towards a "trust no one unless a reason to trust" model, which will simplify everything.

So we will no longer trust the company that makes our Web browser and media player and operating system and applications -- unless they give us a reason to? Hmm, I think I will watch pr0n from DVD then. Or make my own, perhaps? You know, I cannot really trust the DVD rental company either. Data on the pr0n disk could taint my player, no?

Quit bugging me with lazy, ignorant, loaded questions. Your posts aren't dangerous, but they've worn out my patience.

This means to an extent, you trust me: you believe my posts aren't dangerous, and I am a harmless moron. You don't fear that anything in our conversation might be part of a malicious attack against you or anybody else. You will not trust me regarding security competence of course. If I sign a PGP key or certify that some application is secure you will laugh at it. But I guess by now I managed to create an impression within your mind that makes you less likely to expect sophisitcated, malicious attacks from my general direction.

You are wrong. (How many posts did this take me?)

Re:Going Nuclear

[coolGuyZak]

You let your browser consume their pages, taint your apps and OS with data from them to process, give them your IP# associated with your personal sex preferences.

That's not a security vulnerability. That's a feature! The "taint" my apps and OS get from porn sites allows them to advise me as to furhter offers that I may be interested in. It even pops up a helpful little window. One moment, I am giving a powerpoint presentation to my manager... Then fuck.exe opens up 3 pop ups and I realize, "Hey! I really do want hot goatse action!" For all I know, my boss might too. Always good to spread the word.

As for the IP tracking, I have found it to be very helpful. The first few times I visit a site, they might not know that I'm into the hot [vulgar] action. They figure it out soon enough, though.

Disclaimer: it is very early in the morning and I am having trouble sleeping... Please accept my apologies and realize that this is a joke.

Re:Going Nuclear

[Doc+Ruby]

You've conflated my self confidence in my mind processing your ideas and my trust that my machine can process the text you send through Slashdot through it. Predicated on the disposable nature of this machine from which I replay, and my knowledge that I can laugh at anything I read, that it will hurt me only if I let it. I wish the machine had a whitelist, and the friend:noise ratio were higher, with less effort, even with less wasted posts.

You just be yourself: at best, you're amusement, at worst, a bore.

Re:Going Nuclear

[Sven+Tuerpe]

... at best, you're amusement, at worst, a bore.

Much like ... pr0n.

"Totally Inadequate."

[lullabud]

Totally. You have zero security. Zilch. None. Seriously. That firewall you have? Nada. It doesn't protect you at all. That unprivileged user you're using? Nope, not gonna cut it. There is no security. Seriously. Nothing is adequate. Nothing. Your security, regardless of what system you run, is Totally Inadequate.

*yawn*

Sure... whatever.

Re:the best systems today are totally inadequate-n

If you have a Windows or Linux box connected to the Internet this is almost certainly the case.

Bit of a stretch for a site like slashdot.

Re:Hydrogenous Infrastructure.

My apologies. I thought he'd written the non-word hydrogeneous (like heterogeneous or homogeneous), in which case water would be a more likely interpretation.

Rootkit?

[imunfair]

First I saw them talking about Mac... then I thought well - it's BSD based now, which has been around practically forever.

Then I saw them mention a root kit for OSX and wondered to myself what good that would do without actually having a way to gain control in the first place.

(See definition of rootkit from wikipedia: "A root kit is a set of tools used by an intruder after cracking a computer system. These tools can help the attacker maintain his or her access to the system and use it for malicious purposes."

Note the words "after cracking" and "maintain" ... not "hack into" and "gain")

Sounds like a bunch of malarky disguised as solid information to scare people who aren't aware of more advanced computer concepts.

you never do anything nice

[bubbaD]

You didn't auto-link the URL (hint:instructions below the Post Comment window) And its Foresight is at 0.9 release stage, not yet 1.0.
There are PPC Linuxes you could've recommended, but you didn't have the Foresight!

If you really want security, try http://openbsd.org/ for powermacs:
http://openbsd.secsup.org/3.7/macppc/ or for serious stability and security http://openvms.org/
Clam Anti-Virus is available for Mac OSX
http://www.markallan.co.uk/clamXav/

Oh, I doubt it said that...

You know, there's nothing like the sight of a young illiterate buck trying to impress random strangers on a computer bulletin board with a wild-ass guess about how to decline Latin words.

!!!omfg

[leeharris100]

It's a good thing Fox news told all the /.ers that computer security is inadequate. I might not have ever heard this!

There are some good points

My Aunt who runs OSX knows nothing of viruses, only thing she knows is what she was told "you cant get viruses in MACs, its a Windows issue"

Now lets just say a MAC virus was circulating, and she got it... how would she ever know? That virus would reside on her machine forever!

Your barber called

[Trailer+Trash]

Seems you need a haircut.

Oh, and Symantec says you aren't safe, and some guy in England who competes with open source software says it is going to ruin his industry without government help.

Anyone see a pattern?

Missing the point

I think what is trying to be said is that our computer industry as a whole isn't thinking the correct way when it comes to applications and OS's and hardware level security.

Look at the basic home computer connected to the internet. All ports open. Why was the OS designed this way? Why was the network hardware designed this way? Ease of use over security. Marketing over security. Cost over security.

Why doesn't my computer question allowing an app to run? So the user can be a moron and still use it.

Until just recently, we have been living in a world of "allow all, deny selectivly" when we should have been a little bit more security savvy with "Deny all, allow selectivly"

Everyone in the industry is to blame for this, not just the big security leakers.

Re:Missing the point

This is why I put my first firewall on my internet connection back in 1995. I re-purposed a tiny old 386 to run Linux, have a network card and connect to a modem. It worked for me until a couple of years ago when I switched to a wireless access point/firewall connected to a cable modem also running Linux, but using even less power and no moving parts.

Behind the firewall I put a few computers and had on demand dial up. The funny thing is that the tiny little 386 running Linux and caching the name server access up sped up my web browsing by at least double, and that was with no web proxy at all. The dialup was just faster on that old linux box than windows 95 on much more powerful hardware.

Total cost? Free. This was old hardware that was dumped by people when they upgraded and 50 feet of excess 10Base2 wire and a few connectors and terminators from work. Don't worry, they got paid back when I built them a multi line fax computer that could forward faxes to our main office, in a week using Linux after no comercial vendor had a comparable product that did what we wanted for any amount of money.

Firefox

The small coding errors that lead to the everyday buffer overflows are much more apparent when you are reading C++ rather than a disassembly of IE. Sure, it seems like Firefox is getting some flak lately about it not being secure, but consider, friends, that said coding errors are found and fixed many times faster for the same reason. ...and Apple has Darwin. Close 'nuff.

CPM Security is pretty easy, actually.

[Arker]

You just keep a hashtable of all your executables, make sure the first thing that loads after the kernel is the module that checks them all out, and run a TSR that blocks write-access to those files, or allows it and updates the tables instead if given an override. Same thing I used to do on DOS. Sort of goes back to the earlier discussion about 'default deny' and 'enumerating badness.'

Re:Three Steps to 100% Computer Security

[rtaylor]

4. Watch as theives take your computer because you forgot to close the safe door.

AJAX tool to examine log files

[PMcGovern]

Splunk has a new search engine which allows you to examine your log files for either security or troubleshooting related issues. The server (free) uses GoogleSuggest-like type-ahead and dynamic graphs to allow you (a sysadmin) to view all the different logs that are in your system (or datacenter) occuring in real time. It uses Ajax and a lot of javascript to make the experience of flipping through log files and finding specific events very fluid. While it won't prevent security issues, it will certainly help make them more detectable.

jellomizer: Vindictive ass.

[bigtallmofo]

When I first replied to jellomizer with what I thought was a reasonably tactful correction of his use of the word "hydrogenous", his signature said something to the effect of "Waiting until I get a root post with +10 Yea!" (paraphrasing).

Well, after I posted my response to him (read it for yourself here, he changed his sig to:

--
Insult me if you feel you must, Ill just mod down your other messages.

Out of curiosity, I checked my user page. Several of my comments in the last couple days have been modded down. Of course, nobody would have any reason to mod them down - they're long since off the first page.

Karma is so ridiculously easy to come by that I wouldn't imagine anyone would care enough to do such a thing. I think this qualifies as the most assinine use of mod points in quite some time. Congratulations, asshat!

Fixed the Article Title

[tktk]

Computer Security Products by Symantec Still Totally Inadequate

One little difference

[Ernesto+Alvarez]

Even assuming firefox has as many vulnerabilities as IE, there is still a matter of design that is advantageous to firefox (and detrimental to IE): Firefox is relatively isolated from the rest of the system, while IE is fully integrated. That allows a vulnerability in one part (say IE) to affect others (like Office or Outlook). It's not the first time a vulnerability in IE can be exploited via malicious e-mail. In the case of firefox, most of the damage tends to remain in the same place (firefox). Even if you somehow use firefox applied to incoming mail, a vulnerability would mostly leave the intruder/malware with firefox's capabilities and usually not with the MUA's.

It's just a matter of modular design.

Re:Three Steps to 100% Computer Security

[Ernesto+Alvarez]

See why computer security is so crappy?

Here we have a fine example of sloppy security design, where for wanting to speed things corners get cut, and the system turns out to be much less effective than it should be (namely because of the lack of concrete and ocean bottom).

Mac user for 21 years, only 1 virus

It's not security through obscurity, it's just plain secure.

Defending Microsoft is a symptom of the disease "Stockholm Syndrome"

Re:Mac user for 21 years, only 1 virus

[njyoder]

21 years? You realize that all pre-OS X versions of Mac OS had no memory protection mechanisms, right? That means any program you would run could modify all of running memory, including the kernel.

It was definitely security through obscurity.

Re:Mac user for 21 years, only 1 virus

[Onan]

Lacking protected memory is clearly a disadvantage, but it doesn't automatically translate into instant vulnerability. It just means that you lack security compartmentalization once some part of the host has already been compromised, but it doesn't necessarily make the border any less secure.

So yes, any program you ran could do that, but that doesn't necessarily mean that any program did.

Re:Mac user for 21 years, only 1 virus

[njyoder]

Uh, hello? Did apple even release a single advisory for its software pre-OS X? There undoubtedly were many buffer overflows lurking in common software used, it wouldn't be hard to compromise. And there's no patching system before then either.

Thanks for the idea

...an attack like the Slammer worm, combined with a PC BIOS eraser or disk locking tool, could wipe out half the PCs exposed to the Internet in a few hours... Got some base code to help get us started? I'm all for re-use of code. ;-)

benefits of wiping PC's

"We are still in a world where an attack like the Slammer worm, combined with a PC BIOS eraser or disk locking tool, could wipe out half the PCs exposed to the Internet in a few hours," Cox said.

Wouldn't this also take out most of the machines that are now available for bot attacks, spam relays and phishing websites? Sounds like this attack of this nature would greatly improve internet security.

Re:Three Steps to 100% Computer Security

[dpilot]

4. Use supplied scissors on the network and power cables.

Pfft, ultimate security is easy

[RobertF]

I secured an old laptop of mine recently, now I fear no viruses, worms, spyware, adware, or anything any cracker wields! Haven't had a single problem since. It was easy. I took out its networking card.

Symantec, state of the fear address.

[NullProg]

Riddle me this, how does one infect a Linux/BSD based system through the browser? Bad syscall(), been fixed. New syscall() maybe, we need to be diligent. Open ports, not on by default. Brain dead user, possibly leeds to a DOS compromised system (Easily fixed if the browser runs at a different level and cannot modify the users environment). A BSD/Linux system can be compromised by any running service (daemon) that hasn't been audited. I hope even the newest Linux/BSD users knows how to install from trusted sources.

Symantec/Norton used to provide great system utilities/compilers (Think C), now they only sell services that any decent OS should provide by default. Its a good company but lacking any forward revenue stream vision.

IMHO a suggestion would be for symantec to setup a repository for closed/open source programs. Charge a subscription fee for security audited/certified programs for users to downlowd. Sort of like UL labs only for programs. I would be willing to spend a reasonable yearly amount for hassle free certification for binaries. Think (Symantec Certified Labs) Wesnoth, Glest, Scribus, Blender etc. binaries. It'd be a bitch to manage if they didn't settle on only supporting the big three (SuSE, Mandrake, and Redhat).

Just a thought,
Enjoy.

Re:the best systems today are totally inadequate-n

[seb249]

Think the "almost certainly the case" is going a bit far. You can never be 100 % certain that your machine has not been compromised, no matter what the OS, and just because there are no "published to the masses" exploits does not mean that there are no exploits.

Register this.

[planetfinder]

Its almost like The Register equates negativity with objectivity. Maybe they don't. Maybe they just enjoy publishing the drivel that comes out of the back end of a camel or a buzzard.

Again?

[Durandal64]

Are we still talking about that stupid rootkit that actually requires root privileges to install?

Why is it that people can't accept that Windows simply has the unenviable position of being the most popular and the most insecure OS around?

... vs dark present and past?

[edunbar93]

I'd rather live in fear of a dark future than live in darkness now, thank you very much.

How about a 'bot list?

If there are so many bots out there, why don't we make up some monitoring software (Microsoft could distribute it as an automatic update) that will locate them, and report them. Then, Microsoft could put a little icon on everyone's start menu to check if they have been used as a bot. Better yet, send out a message to that annoying IP Messager to notify people.

Andy Out!

The REAL explanation

[TheGSRGuy]

It's Skynet...don't any of you ever watch movies?

In Other News...

The sky, scientists report today, is still blue. More on both these late-breakings stories as we get it...

Why don't they just tell us when security is adequate?

Re:the best systems today are totally inadequate-n

[Xugumad]

On Linux systems, patched daily with the latest security updates, running behind two different firewalls (and different brands of firewall too), with only encrypted connections for authentication, you'll understand if I'm skeptical that the systems have been hacked into?

in response to "immune" systems...

[KillShill]

you can still pass on viruses to other vulnerable systems.

so it doesn't matter that you aren't infected, it's still not safe to be promiscuous because it can potentially harm others.

linux/mac/fbsd/etc people still need to virus scan files, just not on a real-time basis (unless you feel that's warranted).

being a good net citizen requires people look out for each... though how many people really try to do good, no matter how small...

Re:Hydrogenous Infrastructure.

[BrokenHalo]

Hydrogenous sounds like more fun, though. At least you could put a match to it when you're feeling bored... :-D

Re:jellomizer: Vindictive ass.

[BrokenHalo]

Sounds like another good argument for turning off viewing of sigs. You might as well, they never contain anything germane to the topic in question anyway.

My guess...

[Fantasio]

This is phase one of a FUD style advertisment campaign. Be prepared to see very soon on the shelves : - Norton AV for Mac - Norton Firewall for Firefox

Destructiveness vs. Infectiousness

[logicnazi]

No, you couldn't wipe out half the computers on the internet. Just like with real viruses there is a trade off between how infectious you can be and how damageing you can be. If you kill the host it can't keep spreading your payload.

Re:Destructiveness vs. Infectiousness

[thebatlab]

Right, but you could spread for a while and then kill. You may not get the absolute best of both worlds (although killing is killing) but would get a much better total payload than choosing one or the other.

so long as systems are similiar enough...

[3seas]

...What I can't seem to not think about when I read articles on security is the fact that systems with a small following have a tremendious level of security in only the fact that its typically to small a target to hit.

Though a Diebold voting machine provides extra incentive to hack ....

No what if each system was unique enough that nobody had the full map of which systems are alike enough to really know or target effectively?

Like how system are different enough that they are immune to the viruses and such targeted for other systems.

Though this might seem impractical from the stand of what has been generally practiced in the software industry, that is perhaps only due to proprietary system.

The key difference is the use of OSS in the practice of machine specific compiliation, where the user can alter their machines fingerprint or DNA with some sort of unique code or seed value.
A value that is applied in teh compiliation process.

And what of script kiddies and the likes?

you can't hurt a system that is Read Only, such as on a CD.

And data, user data, how to protect it from illegal access or wrongful manipulation?

Simply don't have any possible connection between the online system and the information. Where transfer storage is getting to be the size smaller than a key. Where only such information/data you want to connect to the internet can only be done with some level of intent or direct human physical transfer of it.

Of course the solution directions greatly nullify proprietary software, because such is typically not unique enough...

Predictably, the /. response is head in the sand

[suitepotato]

No one thought the Unix systems of yesteryear were so vulnerable. They were. No thinks the Unix systems of today are as vulnerable. They are. In years past it was naive lack of understanding of the basic nature of the user base. These days, naive lack of fear.

I've seen people have that same attitude before someone draws down and leaves them a crumpled mess on a bar rooom floor. It didn't help them and doesn't help the OSX, BSD, and Linux crowd. You cannot underestimate the danger of the average users' whimsy and inexperience, the truly committed crackers, and the legions of script kiddies who learn their tools from the first two. It isn't Windows that is insecure and dangerous. Windows does nothing it isn't told to by people stupid enough to tell it so by accident or on purpose.

The future is pointed at self-contained encrypted containers of both interpreted and compiled code objects flitting about the global net and this future will be embraced by Microsoft and the only way that Microsoft will not entirely control it is if the major vendors arrayed against them co-opt the paradigm with standards themselves. The law of unintended consequences being what it is, there is no way that the non-MS community can say credibly that the sheer combinatoric explosion of possibilities for system interaction in this future will not affect them, no matter what their safeguards. It's like trying to guess the outcome of a mating based on a glimpse of a few genes of one parent.

Assume the worst or the worst will happen to you. Hold true in survival on the streets, in the jungle, or on the Internet. Blowing off the very idea is foolhardy in the extreme. The only option for Linux for its part to avoid it is to remain a sado-masochistic wrong and hard is better than right and easy platform which scares away the average user. In that case, Microsoft's hegemony is assured simply through the incompetence of their opponents, not that it isn't close to that already.

Re:Three Steps to 100% Computer Security

[kesuki]

I prefer this method of security http://www.uoe.dk/csworld/security-.html

Why that will never happen.

[edunbar93]

We are still in a world where an attack like the Slammer worm, combined with a PC BIOS eraser or disk locking tool, could wipe out half the PCs exposed to the Internet in a few hours

Except for the fact that if anyone ever actually did that, they would be hunted down in record time, arrested, imprisoned, raped, beaten, shot, stabbed, then released into the woods, only to be hunted down again by vicious dogs and torn to shreds before finally being set on fire. And then sentencing will commence. The sentence will likely be something to the effect of one million consecutive one-year sentences, with the chance of parole after 6 months. Each time.

Anyone smart enough to implement such a virus is smart enough to know what's coming.

Am I the only one?

[WhoDey]

Cross-site scripting attacks have been used to attack more vulnerabilities in Mozilla browsers over the last six months than IE

Am I the only one who doesn't quite understand this? How is a web-application level vulnerability such as cross-site scripting dependant on the browser being used? Does IE magically detect cross-site scripting and fix it (ha! at any browser doing that)? If there is an XSS problem, it is a fault in the design of the web application. If it is being used to exploit a trusted zone, then that's a misconfiguration of the browser, not a security problem with the browser. Period.

Re:Am I the only one?

[atomic-penguin]

Either Graham Pinkney is full of shit.
 
-OR-
 
This is a new definition of Cross-site sripting of which I am unaware.

Next Article

Water is wet...film at 11

Re:Three Steps to 100% Computer Security

[eosp]

Typical useless /. post, and I'll probably get modded down, but my fingers are now operating independently of my mind and I can't stop typing. 4. ??? 5. Profit!

So why hasn't this happened already?

[redelm]

Nothing new in this article. The big question remains: if the potential is that large, why hasn't it happened already?

I suspect it is for one of two reasons: Either doing physical damage to the PC (BIOS/MBR wipes) isn't that easy; or the machines are better protected than we think. Many people have hardware firewalls as part of their home routers. AOL can't be trusted to pass any packets..

Firefox could be as bad

[einhverfr]

IE's fundamental problems have been with ActiveX and the porous security barrier between security zones. Firefox also has a security barrier that could be as porous-- the barrier between Chrome and web documents. I would expect most of the security issues to exploit this barrier (which indeed many of the spoofing attacks have).

If you want the best security, go with a non-XUL Mozilla-based browser, like Epiphany. But Mozilla/XUL is a very great RAD environment. But a secure web browser, it is not.

Re:Firefox could be as bad

[dhasenan]

Forget Epiphany, go with Dillo. Dillo won't even allow those CSS exploits to get through.

The First Steps in Computer Security

[scdeimos]

Home/Professional versions of Windows should:
(1) Not allow new Local Users to be in the Administrators group, and
(2) Force the Administrator account to logout after five minutes.

Symantec FUD

Having Microsoft onboard as a major shareholder I am not surprised if Symantec has received the order to spread FUD about Firefox and Mac OS while defending Internet Explorer. It is sad to see them resort to this kinds of methods and attacks below the belt but, as always, the truth will prevail.

Re:Computer viruses like their biological counterp

[Nasarius]

The most successful viruses of all are those that go largely undetected and manage to spread to a majority of the population (think of sexually-transmitted diseases such as HPV).

Your analogy fails when you realize that not all computers will be vulnerable to the same virus/worm. A good worm can reach every vulnerable host on the Internet within hours. Once you've reached this saturation point, there's no way to reproduce without injecting new exploits. In the real world, everyone is vulnerable, but the transmission rate is much slower.

I thought that was what mod points are for ?

[bxbaser]

obvious sarcasm
But sounds about right for slashdot modding lately.
I usually waste 2 or 3 mod points when they run out I guess maybe some people just use them up randomly.

The Ultimate Problem

[AntiCopyrightRadical]

The real problem with computer security today is the attitude of programmers.
People say it's impossible to write bug-free software, and that is simply not true.
It is difficult to write bug-free software, and may be virtually impossible to prove that it is bug-free, but it can be written.

10 PRINT "Perfect code"
20 END

Yes, I know it's a simplistic example, but at what level of complexity does perfect code become impossible?
Is it possible to write a perfect stack? a perfect text box widget? a perfect video player?
From a few simple perfect pieces it should be possible to construct a bug-free web browser.
Is it impossible to build a full-feature bug-free operating system?

For most of my life, I've heard people say that every complex peice of software must have bugs in it, and these are inevitable. I believe that is current attitudes and results about development continue, within 10 years new coders will be hearing that "It is impossible to write complex software that isn't subject to running arbitrary code."
This would give a big boost to the cyberpunks and authors of emergent AI sci-fi, but I don't think things need to be that way.
Maybe you can't write perfect code, but you can at least try.

Symantic should talk

[sdedeo]

The only problem I've had with my Mac came, surprisingly, not from some unknown and undiscovered internet vulnerability, but from Symantic.

That would be the "Norton Utilities" for Mac OS X they wrote and sold, that corrupts your hard drive because Symantic didn't bother to figure out how our filesystem works. Wonderful. I had to buy Diskwarrior to sort it out.

If you go to the Amazon page for the Norton Utilities they sold, it's still there, but along with the dozens of one-star reviews, there is a suggestion that Symantic has quietly stopped shipping it.

It will be a long time before Mac users trust Symantic again.

Re:Symantic should talk

[softweyr]

Symantec must be about to release a new edition of Mac OS X tools; they've been bad-mouthing OS X security for months now. As the old saw goes, there's more money to be made in extending the problem than in fixing it.

Or perhaps it's just the curious fact that every time Symantec says something, Bill Gates' lips move...

Damn!

[msormune]

I just crapped my pants for reading this article. Oh wait, no I didn't. Going to play Darwinia now.

When?

[red990033]

When are we ever going to have adequate security? The term adequate is subjective. An unpatched, unfirewalled, virgin copy of WinXP could be adequate for any novice user, on the other hand, some would argue a computer with no external drives, nothing on the hard disks, locked inside of an Iresali safe, with welded chains on the outside, then sent into orbit in the outer parts of our solar system is still not secure!

There will never be adequate security. This is for one small reason. There is no such thing as a pefect system. The more advanced they become, the higher our standards will get. Adequate security is relative to our standards, thus is subjective.

Re:When?

[Sigma+7]

on the other hand, some would argue a computer with no external drives, nothing on the hard disks, locked inside of an Iresali safe, with welded chains on the outside, then sent into orbit in the outer parts of our solar system is still not secure!

That's because that can still be penetrated without problem.

You need actual defences to prevent intrusion, such as something that actively repels intruders. For example, have a microphone system playing Barney songs in a continuous loop, enclosed within the safe covered with Jar-Jar posters.

Other than that, you just need to wait until automatic defence turrets can be shipped.

Symantec are parasites

[petrus4]

They talk about Firefox and the Mac being insecure because they *want* them to be...it's wishful thinking.

They're a company that have always made a living out of Windows being so poorly designed. If end users move to operating systems that were designed by people who actually had half an idea what they were doing, business for Symantec is going to dry up.

It's exactly like the pharmaceutical companies and the medical industry...they don't make money from people being healthy. They make money from people being sick.

Symantec trying to give people FUD that other systems are insecure is entirely predictable...they won't make sales unless people believe such things.

Re:Symantec are parasites

[Sigma+7]

They talk about Firefox [...] being insecure because they *want* them to be...it's wishful thinking.

Too late - Firefox is insecure. It already blindingly runs Flash and Java applets, at the same priority level as the browser itself. This generally means that the browser becomes unresponsive - and that your system could easily follow suit if you have too many of those poorly designed 100%-CPU Flash ads.

While there is FlashBlock and Ad-Block, these things really should be part of the main Mozilla browser - not an add-on. (Mozilla doesn't even have a minimalistic protection, as demonstrated by the ineffective pop-up blocker.)

BTW, I've recently experienced a bug with the Java applet system - when it is downloading an applet, it seems to lock up the entire browser from normal operation. I don't yet have a test case, but it is something that needs to be looked at. (I'm thinking about forcing a crash just to get a bug report. Of course, it's still useless to me, since FireFox binaries don't have a client-side symbol table.)

Alan Cox part

Still, don't miss this important note, that those were lucky circumstances, viruses authors were "civilized" enough so far to not yet target heavy destruction ways. Exploit, abuse - those are gentle words. We get dependant. Very dependant with plenty of those mostly unified economy boxes. What leads to the point, that diversification is one of natural cures - message in favor of those different boxes, even if they are similarly vulnerable.

Re:the best systems today are totally inadequate-n

[Jeremi]

Still hasn't happened to me.

As far as you know. Not all malware announces its presence.

Re:Who do you think write these virii, anyway?

[Swampfeet]

If more people move to osx or linux, I guess Symantec and all the others will have to move to writing all these viruses for the new platform, to sustain business. You don't really think all the malware comes from pimply-faced adolescents, do you?

Re:jellomizer: Vindictive ass.

But he can't do that to me cause I quit on having an account a long time ago!!!!

All my posts are AC and unattached so I can slander whomever I please(as long as no Big Secrets are revealed in the process)

Java and Linux.

[kaffiene]

Alan Cox commented on the fact that Java made insecure programs hard to write.

Given that /. seems to hate Java, perhaps this indicates a clue gap between those who know wtf they're talking about and the slashbot anti-java brigade?

Yeah, more popular software is exploited more ...

[Qbertino]

... often. That's why Apache is such an exploit ridden viri host. Oh, wait, ...

Well, why do you care?

[Moraelin]

Honestly, even if you cared about Karma (though beats me why would you), as you've said, it's ridiculously easy to come by anyway.

And it's not like he'd be the first one anyway. There's a whole category of people insecure enough to throw that kind of kindergarten revenge fit. If only now you see 3 day old posts starting to get unexplained attention, eh, you haven't paid attention. If anything I find it funny that someone would be that immature.

But, really, why would you care about it anyway? Does it really matter if your groupthink score... err... I mean "karma", goes up or down? Just say what you think and don't care about such prom-queen scores.

If anything, that "karma" hurts more than it helps. It spawned a whole class of karma-whore prom-queens repeating the same idiocies on topics they don't even understand, just because it's what gets them points. Which is just pollution.

Heheheheh I saw a Symantec guy in the street...

[tod_miller]

With a board saying the "EOF is nigh!".

Hahahahah I am so scared. The problem is, a well configured firewall, and a mime filter on downloads and emails will solve all but the biggest problem.

Internal sabotage.

I hate how Symantec et al have gained enough money and power to fuel a self fulfilling prophecy of doom and gloom.

McAffee is even worse

[Moraelin]

Well, I won't disaggree with you on the whole. It in fact mirrors my own thoughts and observations.

I once got a computer virused intentionally. (That was the only Windows virus I ever got, btw, so if anyone wants to start with the canned "Windows has viruses, use Linux instead" answers, spare your breath.) I was installing Windows 2000, had no firewall handy, and thought I'm too lazy to go buy a firewall or go burn Zone Alarm on a CD on someone else's computer. Also, I didn't know yet that I could just activate the built-in poor-man's firewall (yes, you can tell Windows 2000 to not allow incoming connections) to stay safe until I download the updates and a firewall. So, anyway, I thought I'd let it get virused while I download the firewall, then format and reinstall. It's not like 20 minutes extra are a major catastrophe.

So predictably it does catch an RPC buffer-overflow virus while downloading Sygate Personal Firewall. Then I block it from connecting to the network and play with it a little. It got me curious.

You know what was sad? It actually slowed the computer a lot less than Norton. You know what's sadder? Installing Norton and running a full scan didn't catch it anyway. It just slowed down the computer some more.

But still, Symantec isn't _the_ worst. Try McAffee sometime if you're masochistic. Not only it was even less efficient and slower, but also had such gems as:

- needed IE to download its updates, because it used some ActiveX crap, but it was too stupid to just launch IE, then. It launched the default browser, in this case Opera, and then couldn't get itself updated. That sad.

- it was installed on D: but the updates proceeded to install themselves in the default directory on C:. Worse yet, I wasn't just left with just an extra copy on the hard drive, but had two versions running in RAM at the same time.

- this got even funnier later when I uninstalled it, because one of the two versions remained installed and auto-loaded. I had to edit the registry to stop it. (If you thought only spyware has to be removed that way, McAffee is obviously the counter-example.)

- their "privacy" protection basically did nothing but try to protect me from cookies, including temporary login cookies on web sites. I suddenly couldn't use any sites that required login. Not even in a consistent and predictable way. E.g., Gamespy's Fileplanet got terminally confused and different pages thought that I was logged in and not logged in at the same time.

And so on and so forth. That was a rather non-funny experience.

Re:McAffee is even worse

[emil]

yes, you can tell Windows 2000 to not allow incoming connections

How do you do that? Does this still allow bidirectional connections that were initiated by the local system? Can you run Windows Update with this setting in place?

Re:McAffee is even worse

[Moraelin]

Open the properties for your network connection, "Advanced", go to the properties for the TCP/IP protocol, "Advanced" again, and then on the last tab ("Options") you'll see stuff like "IP-Security" and "TCP/IP filtering". (Yes, it's very well hidden. I hadn't found it myself until someone told me it's there.)

The last one, for example, is basically just a traditional old-style firewall: it lets you block everything except speciffic ports, by number. It's really primitive. It doesn't have the functionality of modern software firewalls, like distinguishing between applications, or even between directions of traffic, but then again, it works.

It also exists since NT 4.

IP-Security is more advanced, and you can even define your own rules there. You'll need to use the "Group Policy" editor for that, though. (E.g., by running "GPEDIT.MSC" from the Start/Run... menu.)

Re:Computer viruses like their biological counterp

[mlush]

A virus that destroys its host cannot propogate very far before becoming extinct. Viruses that damage their host but leave it good enough condition to continue transmitting it to other hosts are much more successful. The most successful viruses of all are those that go largely undetected and manage to spread to a majority of the population (think of sexually-transmitted diseases such as HPV).

Biological virus don't know if they have propagated, a computer virus could be written to count sucessful infections

Consider a virus that can count its generation and progeny and also knows the date

Set it to just propagates till 27th September (mostly using system time, but also polling NTP servers just to check). After that when it when it has finished scanning the area. If it has infected more than three machines it goes into kill mode, trashes the hard disk and zeros the BIOS, if it has failed to reproduce enough it keeps scanning and passes the time introducing single bit errors into documents and images.

Re:Computer viruses like their biological counterp

[Scudsucker]

Your analogy fails when you realize that not all computers will be vulnerable to the same virus/worm.

So does yours, as not all humans are vunerable to the same viruses/worms.

A good worm can reach every vulnerable host on the Internet within hours.

Not with NAT's and private networks they wont.

OS X here, too. I say BRING IT ON! Muahahahahah!

Betcha can't give me a virus. G'ahead - erase my boot drive.

GOOD LUCK! : )

Security advisors totally missing the point

[gilesjuk]

They're missing the point that IE is an integral part of the desktop on Windows. It's very hard to get away from IE flaws.

IE is largely a Windows app now (Mac support was cut off). With Firefox you get to choose the most secure platform to run it on since it is available for many operating systems.

Many of the flaws in Firefox were discovered by the Firefox developer community and patched rapidly.

BIOS Eraser

Most medium and up have a backup copy of the bios on a second chip, most the time not accessible unless you yourself flip the lil jumper on the motherboard...

Re:Going Nuclear - tipping point

[AYeomans]

We already have the whitelist technology. And have had it for years - the "x" execute permission bit in the file system.

Only one minor flaw, what happens to the revenue stream from perpetual updates?

Here's Hoping

[dave1212]

So it seems like Symantec really wants to release a Mac virus, by the way they're speaking.

That would be extremely lame of them, and I hope it doesn't happen, but I wouldn't put it past them (if it's possible). This is the company that stopped making Utilities for the Mac when Panther came out instead of updating it. They will not put in any extra work to get their products working right on a system, instead allowing them to make a mess of most people's hard drives. (and sometimes making matters worse) Myself, I had to pay CA$500 to get my data back after Norton crashed in the middle of repairing. Needless to say, it didn't leave the drive in any sort of usable state. Live and learn, I use Alsoft's DiskWarrior and Micromat's TechTool Pro now.

The other reason Macs are usually more protected is that Mac users tend to be a little bit smarter than the average computer (Windows) user, and most Mac users know better than to click blindly through dialog boxes or try to open or run something they didn't request, never mind the fact that Apple is constantly updating major system components, which makes their OS somewhat of a moving target. I like run-on sentences.

Here's a short article on Macs Kill entitled Don't Buy Norton. from a little while ago.

Symantec are fucking shite

Symantec r t3h 5uxx0rz.

Re:the best systems today are totally inadequate-n

Only if you have a monoculture of windows, do you risk a Darwinian event.
Evidently, the decision not to build dual boot images, plus wifi, decided by executives, over-rode real security considerations.

O/S's not network connected seem to operate OK, and OpenBSD connections seem to be solid. Systems like this ARE safe, and you have the option of running knoppix direct of dvd too.

Symantec is in a unique position to blow the whistle on flaws that presumably the have sourcecode and talent and capability for, but they don't seem to make waves, other than spread fud.

BSD's, or linux with propolice or NSA probably are good enough. Maybe this EAL security rating stuff needs and overhaul.

Pirated software should get some blame

[GauteL]

A big problem with the traditional software distribution is that if you were to fill up your PC with legitimate commercial software from trusted (non-malicious) sources for all your purposes, you would most likely end up with a total software bill approaching a thousand dollars (Operating system, office pack, proper CD burner software, games, security software, graphics software, etc.)

Rather than making use of free software, people have gotten used to just pirating commercial software. I have yet to see a Home PC without at least a certain degree of pirated software on them.

The software vendors have started becoming increasingly anal about copy protection, trying to force people to purchase the software rather than pirate it. It is actually getting hard to just borrow a CD off a friend and install it.

The result? People will either switch to free software or download dubious chinese cracks off the Internet. Sadly, most seem to go with the last option.

The result is a sad state of affairs and it is not all down to security holes in Windows, IE or Outlook.

The first realisation for people should be that their Windows machine can be filled with nicely working and adequate free software rather than pirated commercial software. A nice security boost just there.

This works fine, but it is soooo much easier with a Linux system. The huge security boost of a newer Linux systems is NOT that they are inheritly more secure, but rather that people can get pretty much all the software they need from nice, friendly sources. Sure, they may have some security holes like all software, but they are not actively trying to screw you over.

Moreover, they are actually all updated from the Linux distributor. You do not have to chase down individual updates yourself.

If more people switched to Linux, they would simply not have to resort to crackz.com or something for their software needs. Most of it would either already be installed or require just a few mouse clicks to install.

That doesn't mean they'll respond the same way

[gelfling]

Sure it's entirely possible that OsX and Firefox could be exposed to potentially harmful risks going forward. But that in no way means that the vendors or communities responsible for them will respond in the same kind of highhanded way that MS makes its business model either. Let's face facts, MS code problems don't spawn just from bad design choices. They spawn from poor change management, poor development techniques and a business model that puts bells and whistles above basic reliable functionality. Everyday day some wonks at MS look over a portfolio of 'must-dos' for Windows and for the most part address the security issues that people scream about and that's it. Tomorrow there will be more fires to fight more snakes to kill.

But there is no guaranty that everyone else will respond this way. So far there is no indication that Apple for example has chosen this business model. It may very well be that companies decide that better security is a real value add. After all companies like Argus exist for a reason. It's possible that a company the size of Apple could put its weight into making an Argus like system as easy to use as a Mac.

More crackers should start destroying machines

[analog_line]

Certainly, the kind of hassles which various malware cause all over the place don't seem to be convincing anyone that security is an important thing that they need t obe aware of.

I can't count the number of people who've let their computers go to shit, paid me several hundred dollars to get those computers back to a usable state, and actively ignore what I've told them they need to do to keep their computers from getting messed up. It's too hard to remember to use Firefox, or to remember to run AdAware, or to remember to keep paying the subscription on their virus scanner, or move to a safer operating system (either MacOS or Linux would do) or whatever.

Maybe if these worms, viruses, etc, started making hardware unusable people would take this shit a bit more seriously. Maybe I don't care in the end, because their ignorance is to my profit, just like their ignorance is to Symantec's. Or rather, their general ignorance, punctuated with health doses of fear, so they'll run out and obtain my services, or buy Symantec's crappy software.

Re:Three Steps to 100% Computer Security

At Georgia Tech, there was a breach several years ago in a computer that housed lots of personal data for our performing arts center. Our IT department responded by segregating the machines that housed that information and building a large metal "room" around them, within the machine room, which was only accessible with separate credentials. Granted the "cage" was part of a larger security audit, but when you looked at the two events separately, it was a pretty hilarious response to the problem.

Re:the best systems today are totally inadequate-n

[dave1212]

Well, actually, I wonder what percentage of PCs are currently infected with malware? I'd guess way more than 50%, and the world hasn't come to an end.

This is only because the writers aren't interested in releasing the kind of viruses we had, say, 10-15 years ago, where corrupting data/erasing files was the norm. Nowadays, they all seem to want the same things: owner access to a PC, and/or the user's confidential information.

I suppose you could argue that this isn't as bad as having your drive wiped, but it seems to me to be even worse, since these users really have no idea that their important info may be compromised, and essentially can be taken advantage of indefinitely.

If the zombie PC masters did at some point decide to wreak havoc instead of being stealthy, I'm sure it would be pretty destructive.

Ignored?

Yes, yes.. God forbid we waste so much time spellchecking that we didn't get f1rst p05+. Ass.

In any event, if you had read beyond the first paragraph, it would have been clear your actual "argument" wasn't "ignored"..

>The only problem is having a hetereogeneous >environment increases your support costs whether >you have a security incursion or not. How many >people are security experts in Mac, Windows, >Linux, BSD, Solaris, FreeBSD and CPM? Not many. >Which means that for every environment your IT >staff supports, you need additional admins.

Re:Hydrogenous Infrastructure.

[dannannan]

Your most excellent rhetoric reminds me of one of my favorite Strong Bad e-mails!

Mod parent funny

Come on guys, that is the funniest post I have seen in quite a while.

Re:the best systems today are totally inadequate-n

[Xarius]

Actually, it would probably be a good thing if the hypothetical disk-erasing worm would come along -- it would probably prompt a lot of dumb users to make backups, take some basic security precautions, and maybe consider switching from MS-ware to more secure OSS.

I know he's an arrogant prick, but esr points out exactly why that wouldn't be a good thing here.

Are you nuts?

[emil]

I never use gui tools that ask for root. On the local system, I ctrl-alt-f1, login as root, and do it cli. I'll also do f2 for a login as myself so I'm not burning up excessive memory and cpu with an xterm for something that doesn't need it.

up2date -u works great with no X.

eliminate 90%

[tim_abell]

Not to mention of course eliminating 90% of productivity as a bonus.

Last attempt at running as an unpriveledged windows user lasted about 2 weeks. I even knew about runas. Couldn't run my favourite mozilla because it stored its profile in the wrong place (no idea if this was fixed).

Re:jellomizer: Vindictive ass.

Yeah, all of your posts should've been modded to oblivion just with your sig alone.

In any community, some people make positive contributions, others negative, and many a mixture of the two.

I wish you good luck in making positive contributions in the future. In any case, you've made a name for yourself. I have to wonder if it's the type of reputation that you want?

Re:Mac User Buys Norten AntiVirus

And the plural of clod is clod. Right.

Re:Predictably, the /. response is head in the san

[thoromyr]

While blowing off the idea or possibility of an attack is stupid, your sky is falling routine is just as bad. You're first paragraph makes general assertions without any evidence of truth. Though Unix systems today are vulnerable (what isn't?) that is nothing compared to Windows.

It isn't a "naive lack of fear" to use a system that has more secure foundations and then be happy for it.

On the other hand, waiting for a bad exploit to occur before taking even the most basic precautions is equally absurd. Reactionary security is worthless security. For example, after the Khobar Towers bombing in Dhahran the military mandated a 1,000m standoff. Why? Because they figured that would be the required standoff to have protected from the last attack.

And what was the next attack? Small arms and vehicular assault in Riyadh. Basically, a perimeter rush using multiple, agile components. The 1,000 meter perimeter just went out the window.

Its so easy to stick your head in the sand and claim "all systems are vulnerable, lalala" or "no known remote exploits for mine, all is fine lalala" that the proper middle ground gets lost.

Someone where I work is setting up to secure a lab. They have checked and are looking to use a product that will provide limited capability logins (sounding very similar to OS X's limited user) -- but when I suggested to take the additional precaution of setting the bios password and turning off the ability to boot from anything but the hard drive the response I got was "why go to all that trouble?"

Here you have a sufficient concern to investigate and purchase a product, but no interest in taking the most basic steps to secure the hardware. Security isn't about patching some specific problem (the Windows approach), its about design, concept and approach (which FireFox is attempting, the unix-style operating systems take a stab at). To ignore the efforts in this regard is not just stupid, but counterproductive.

But I have a feeling you either lack any real depth of security understanding or are wearing MS blinders -- just like those poor fools who will wait for armageddon before taking any precaution.

There is some truth to this.

[ezweave]

We are still in a world where an attack like the slammer worm combined with a PC BIOS eraser or disk locking tool could wipe out half the PCs exposed

First off, the Slammer worm is a buffer overflow exploit for MS SQLServer, it hampers the internet, but if you are not running SQLServer... Basically, while there are plenty of vulnerable areas, this is incorrect.

More importantly, buffer overflows are due to unchecked C string copy calls: Java has size limits to Strings, making this harder to do. Java also looks different on the execution stack. C can be disassembled to find these vulnerabilities. So the parent actually has a point, because Java does not go down to assembly, it is harder to see the weaknesses AND since Strings are bound, you don't get buffer overflows in the execution stack.

Re:Going Nuclear - tipping point

[Doc+Ruby]

We've got some of the tech. The tipping point comes when our minds have changed to orient by the new bias. Then the revenue streams multiply as we interdepend for continuous trust info subscriptions.

Dunno about floppies

[Cybertect]

I don't ever recall auto-execution of applications on floppy disks on any version of Mac OS (or System x.x).

I suspect your thinking of the Hong Kong Virus outbreak of 1998 that piggybacked on the behaviour of QuickTime 2.5 and later's AutoPlay feature.

[let's use Symantec as they're topical]

http://securityresponse.symantec.com/avcenter/venc /data/autostart.9805.html

Most of the vulnerabilities in 'Classic' Mac OS were to do with System Extensions and Control Panels which loaded up at boot time. Since they were analogous to kernel extensions, they had deep access into the heart of the OS.

Re:Dunno about floppies

[Bill+Dog]

Not applications, a WND binary resource or driver or somesuch (I got into programming the Mac in college, but not at the hacker level). Back then I had a whole host of novelty, and some gag, system extensions, and don't recall any malicious ones floating around. This was around early 90's, System 7 and 6 and earlier (I originally had I think system 3.2 and finder 5.3 or somesuch on my MacPlus) days, before network-spread viruses (before non-geeks ever heard of the Internet/before it went commercial). I left college, and the Mac world and my aspirations of being a Mac programmer, since there weren't any jobs, in 1993.

MS: call a lawyer

[bluGill]

If Microsoft was smart they would have expert witnesses who will appear in court for you, to testify that running as administrator is bad practice. Thus the program that requires the user to run as administrator is defective, and in violation of various state laws.

Of course Microsoft would have to fix their own software first, so they are unlikely to do it. Still they should. Software needs administrator and isn't designed for administrator use only is defective.

Re:MS: call a lawyer

[arminw]

....Thus the program that requires the user to run as administrator is defective....

You and I certainly agree that is true, but in order for a court to agree to that there would have to be some law that defines software needing admin rights as being defective or illegal. I know of no such law, but that doesn't mean there isn't one.

MS has to throw out backwards compatibility for all software that requires admin capability unless it actually NEEDS to make change or addition to the system, such as a device driver. This will make a lot of people mad, because they'll have to upgrade most of their programs, often at considerable expense. For some businesses it might be almost impossible if they are dependent on a program whose maker has gone out of existence.

The result could be that many will not buy the new OS and its usually required hardware upgrade. Thus there is a distinct possibility that VISTA users will still need to have admin rights because that is the only way the old software will run. That will in turn mean that the new OS will still be insecure for these users.

In OSX, each successive version upgrade has improved performance on the same old hardware, whereas on Windows the opposite is true. From what I've heard, the hardware requirements for VISTA will be substantially more than the average computer has today. Of course, PC vendors will love that.

*snicker* Looks like someone failed the exam...

[sczimme]

Yet further proof that almost all "security professionals" have about as much intelligence as a gnat.

I'm really tired of mediocre systems guys passing a CISSP exam

Wow - it looks like someone is bitter because he a) couldn't pass the CISSP exam, b) couldn't get a job in the security field, or c) both. My money is on c).

Security should be taked more seriously

[computergeek1200]

Security is not given as much attention as it deserves. Most wireless networks are unencrypted. some people do not apply patches, use firewalls, or have good security practises. This site proves my point because they do not use SSL for the login. This means that someone can obtian your username and password. The polls should require login to stop people from changing their ip addresses. In my opinion wireless is usually not setup properly. Wireless access points should not use WEP and should use WPA intead. I have a video clip from the news about wireless security from my site.

Re:Security should be taked more seriously

[computergeek1200]

the link changed: click here

Re:Computer viruses like their biological counterp

[Yossarian45793]

You need to think about different types of hosts as different species of animals. Most viruses are not able to cross species boundaries. Also different memebers of a species may or may not be vulnerable to a virus due to variations in each one's immune system.

Regarding, the speed of speading, it's true that the initial spread of an electronic virus tends to be much faster than any biological virus. However, I would argue that there is a large population of hosts which are powered down (asleep) and/or unplugged (abstinent) 95% of time, as well as a constant stream of new hosts being created (born) into the world each day. It takes time to spread to the sleeping/abstinent hosts and the newborn hosts can provide an long stream of new victims, until a vaccine against the virus becomes widespread.

Re:Computer viruses like their biological counterp

[Yossarian45793]

You are truly devious!

I would still argue that there exists an incentive to keep hosts relatively healthy to ensure that the virus spreads as far as possible and survives as long as possible. Viruses with no ill side effects or no detectable side effects at all tend to get less attention than viruses which make their hosts drop dead. Viruses which attract too much attention tend to get actively erradicated.

The other critical difference between biological viruses and electronic viruses is that, unlike biological viruses which rise out of random evolution, electronic viruses are still[1] created by intelligent designers who often have ulterior motives above and beyond maximizing survival of the virus. Electronic viruses are able to turn their hosts into zombies which the virus creator can enslave towards his own ends (usually some form of criminal financial gain).

[1] It's unclear whether we will ever see electronic viruses created by something other than humans. It seems unlikely to happen anytime soon, but if you believe in a future like Ghost In The Shell, then who knows!

Re:the best systems today are totally inadequate-n

[coolGuyZak]

Remember when the New York blackout occurred? (The one that took out all of NYC, most of the state, and was felt through a good portion of northern Pensylvania).

Around that time, after the restoration effort had succeeded, there were several "infrastructure terrorist" shows and articles "fearmongering" the public. Even though they were a feeble attempt to get ratings/hits, they did contain some interesting data. For instance, a large portion of our automated infrastructure is made out of standard windows boxes, controlled via the Internet. Or, at least they were at the time.

What I am afraid of is a malicious virus being able to assault these boxes and take them out. Forget the damage to OSS. What kind of frenzy could occur if our infrastructure fails us? That is scary.

::Removes tinfoil hat::

I know everyone well enough to call them dude.

[coolGuyZak]

You don't know me well enough to call me dude.

Dude? I don't know what you're talking about. 'Dude' is a pronoun, dude. It's like if I were to call you "You" or "He" or "I". You know... like "Hey! Dude!" or "Dude! Over here!" or "Dude, I am sooo completely wasted".

re: Windows sub-system errors

[King_TJ]

Well, here's just one example of what I was talking about (and this isn't the AUTOEXEC.NT and/or CONFIG.NT issue).

http://service1.symantec.com/SUPPORT/sunset-c2002k b.nsf/9b60813077fffd2385256ee60055ac57/87712b45887 8809c85256edf00520ef4?OpenDocument&src=bar_sch_nam

The truth about non-mainstream

The truth about non-mainstream products is that there are not security bugs in them because there is no enough of a reason to look for bugs in them -- if you take into account attack surface.

Attack surface is also extensibility. IE has a lot of attack surface, it is very extensible. The same is true with Firefox.

Macs have plenty of attack surface. It is just when you are out there hacking you do not often come across a Mac, so you do not need security bugs for them. The same is often true for Linux systems -- usually the person you are targetting is running Windows.

Security bugs in more popular products mean more press for you.

FireFox has gotten a lot of attention as an alternative to IE, but the incredible claims of better security all over the media for a year have made it a huge target -- breaking it gets you news reports even though the userbase remains pretty small.

Functionality. Attack surface. The two go together. The most secure Window's apps? Calc and Notepad.

People say things like "Firefox does not have activex so it is more secure". Like activex is some great evil. Firefox is extensible. It accepts the major plug-ins out there. Call it "activex" or whatever, it is the same difference: and this is one of the things that adds a lot of functionality to the web. Shock games anyone?

There are always a lot of people who go through a lot of trouble to run obscure products... and they like to believe because of this they are smarter and better protected then everyone else. These people are often "smart", but they simply are not nearly as smart as they think they are.

Re:Computer viruses like their biological counterp

[mlush]

The other critical difference between biological viruses and electronic viruses is that, unlike biological viruses which rise out of random evolution, electronic viruses are still[1] created by intelligent designers who often have ulterior motives above and beyond maximizing survival of the virus. Electronic viruses are able to turn their hosts into zombies which the virus creator can enslave towards his own ends (usually some form of criminal financial gain).

How about terrorists, religous nuts and rogue goverments? Virus development can be done on the cheap. All they would need is a 100 PC network to simulate the internet and some good programmers (and a good sysadmin to reimage the system after it dies). This sort of thing would be pretty easy to hide (PC's are not hard to get hold of, or transport, the number of people in the know could tiny (6 or less)). To the terrorist mind would be really, really attractive (Potential for massive damage, using the great Satans power against them and the chance to overwrite impure data with copys of their manifesto and/or holy book)