Slashdot Mirror
Computer Security Still Totally Inadequate
Several news sources are running articles detailing the lack of computer security on all platforms. Symantec foretells a dark future for Firefox and Mac users describing their security as a "false paradise". Kernel developer and Red Hat fellow, Allan Cox stated in his recent interview with O'Reilly that "even the best systems today are totally inadequate". He goes on to say that "We are still in a world where an attack like the Slammer worm, combined with a PC BIOS eraser or disk locking tool, could wipe out half the PCs exposed to the Internet in a few hours," Cox said. "In a sense we are fortunate that most attackers want to control and use systems they attack rather than destroy them."
With security suites like that you don't need any hackers or viruses. Bloated Symantic software makes your computer unusable and unstable anyway ...
Hmm no. Remember the BIND vulnerability a few years back, that sucked. Back then, most people ran BIND as root in a non chrooted environment. Really, just about all computer security is pretty much useless against anybody with a little determination.
The blurring between Symantec marketing and reporting is more than a little disconcerting. It seems we are now in a round of monthly warnings from them to keep sales high. Security is important, it is critical, it should not be taken lightly. However it would be nice if we could stop pulling our hair out on a monthly basis driven soley on the marketing budget of Symantec. (5 years and still virus free. I'm guess Mac OS X has a little more going for it than just "fools paradise" variety luck)
We are still in a world where an attack like the Slammer worm, combined with a PC BIOS eraser or disk locking tool, could wipe out half the PCs exposed to the Internet in a few hours
Well, actually, I wonder what percentage of PCs are currently infected with malware? I'd guess way more than 50%, and the world hasn't come to an end. Actually, it would probably be a good thing if the hypothetical disk-erasing worm would come along -- it would probably prompt a lot of dumb users to make backups, take some basic security precautions, and maybe consider switching from MS-ware to more secure OSS.
Find free books.
I believe you mean "heterogeneous," consisting of dissimilar elements. The opposite of homogeneous. I won't even touch the rest of your post... where do you come up with this crap?
SecureThe.Net - Practical Resources for Securing Systems
This is why having a Hydrogenous network and/or having a society where no one platform dominates.
I'm guessing hydrogenous is not the word you were looking for. Assuming of course that you weren't proposing that we base our networks on hydrogen.
I'm going to instead assume you meant heterogeneous which is something often proposed on Slashdot and grants the proposer instant karma as people rush to mod them up.
The only problem is having a hetereogeneous environment increases your support costs whether you have a security incursion or not. How many people are security experts in Mac, Windows, Linux, BSD, Solaris, FreeBSD and CPM? Not many. Which means that for every environment your IT staff supports, you need additional admins.
I'm a big tall mofo.
Having the whole internet spammed with packets sent from infected machines, causing the network to slow to a crawl affects everyone.
That's the main problem with these viruses, they DON'T only affect microsoft products.
^_^
Our most effective viruses will be the ones that allow the system to live long enough to spread the virus, and as soon as it can't spread it anymore, or the rate of infection drops below a certain level, the self destruct button can be hit. Allowing maximum transfer, and then maximum destruction.
In the time between these two phases human interference should be able to pick up the CPU/network drain. (Or perhaps a software developer can make a program that realises when cpu usage + network activity is uncontrolled.)
According to Symantec, this is an enormous untapped market for them since we are all very attractive targets and living in a security dream world. And those products, particularly for Linux, are where exactly? Actions speak louder than words, and if Symantec really thought there was an enormous threat here, they would be pushing out products to address it, because that is what companies that want to maximize profit do. Instead, of products, they produce press releases. Once Microsoft's lapdog, always Microsoft's lapdog I guess, even after they have decided to have you put down.
Computer Security Still Totally Inadequate
;-)
Of course, if it wasn't I wouldn't have a job.
Slashdot = -1 Redundant, Asperger, kdawson FUD, Libertarian, and Linux
It doesn't even matter how secure your "system" is, stupid users will always break the system and allow infections.
Where I live, there was a huge scandal about some company that sent other companies "demo discs" which the employees at the other company obviously ran, trusting some random company. This caused a trojan/backdoor to be installed, eventually costing the companies a lot of data which was viewed by their competitors.
Even in the army, they have a network completely (physically) disconnected from the public internet, with very strict rules on what's allowed to move inside and usually everything is ok. One time there was a large outbreak of a virus, obviously it was disconnected from the outside, but still an outbreak.
The source? A high ranked officer thought he's above the rules and connected his infected laptop to the inside network.
No matter how strong are your means of security, stupidity will always prevail.
^_^
Yet further proof that almost all "security professionals" have about as much intelligence as a gnat.
... please. The "it's not as popular" theory as to the lack of OS X viri and worms has been beaten to death over and over. Simple fact is the difficulty would make the first creator of an OS X virus or worm famous beyond anything another Windows worm would cause -- even if the spread wouldn't be nearly as bad. And yet, here we are, five years after the release, and not a single virus or worm that directly affects the operating system. Surprised?
I'm really tired of mediocre systems guys passing a CISSP exam (thousand miles wide, quarter inch deep) and being declared experts on securing things they don't even understand to begin with.
For one, quantative analysis of the numbers of vulnerabilities doesn't equate to determining if a system is more or less secure than another. It's also meaningless if you don't compare how the systems are configured in what kinds of environments. Even simple things like Linksys routers greatly contribute to additional security on a personal computer (Windows or otherwise).
From the article: "Symantec chronicled 1,862 new vulnerabilities during 1H2005 - an average of 10 new flaws a day - 73 per cent of which it categorises as easily exploitable. The time between the disclosure of a vulnerability and the release of an associated exploit was just six days. Half (59 per cent) of vulnerabilities were associated with web application technologies."
Can anyone tell me where in that statement is a shred of useful, meaningful information? Of course not. Because there is none.
Insofar as Firefox and and OS X being "in for surprises." Sure, Firefox is an evolving application, bugs will be introduced and squashed, and later on more will be introduced. Some of those will be security vulnerabilities. Any application who's sole job is to pull data from untrusted sources and parse it will be vulnerable to security problems resulting from buggy code. Period. End of sentence.
OS X
Despite that incentive, it has yet to be done. A rootkit is being touted as "proof of OS X's insecurity." Give me a break. If you can trick a user to type in their admin password with an application, it doesn't matter if you're running Windows, Linux, BSD, OS X, HP-UX, or Solaris -- you're going to get owned.
Jesus, I hate security people. I just want to choke them.
The primary problem with OS X is the indiscriminate use of the administrative password. Mac users are so used to typing in that password that if an installation ask for it the user automatically types it in. Instant root-kit installation. Now, let's see if Symantec, with all their ridiculous doom and gloom crap, detects it.
It should come as no surprise that computer viruses and worms tend to aim for control rather than destruction. This exactly parallels what happens with biological viruses and worms. A virus that destroys its host cannot propogate very far before becoming extinct. Viruses that damage their host but leave it good enough condition to continue transmitting it to other hosts are much more successful. The most successful viruses of all are those that go largely undetected and manage to spread to a majority of the population (think of sexually-transmitted diseases such as HPV).
Symantec is publishing a self serving press release full of intentional lies as a news item, and idiot news outlets like the Register are publishing it without criticism.
Shame on both!
How about reporting:
"Symantic issued an official sensationist panic warning to Mac users who have not bought their product. It is unclear how Symantec's products will secure the Mac platform from exploits, since they do nothing to secure a system from a user with physical access. The company may also consider selling volcano insurance and eating babies"
From the actual Register story:
"While the number of vendor-confirmed vulnerabilities in OS X has remained relatively constant during the last two reporting periods [12 months], Symantec predicts this could change in the future. Symantec's analysis on a rootkit (OSX/Weapox) reveals it is designed to take advantage of OS X. This particular trojan demonstrates that as OS X increases in popularity, so too will the scrutiny it receives from potential attackers."
So Symantec:
- is shy to report that there are no exploited vulnerabilities
- analyzed a OS X root kit and determined it ran on OS X
- thinks the adware/malware market, driven by demand for easy to zombify PCs, is somehow poised to launch specialized attacks on inherently secured systems via non-replicating trojans that require root access to install.
Which is worse, Symantic's bullshit misinformation, or the Register's uncritical dissemination?
From TFA: And that statistic means absolutely nothing. Simply counting the vulnerability ANNOUNCEMENTS does not tell you anything about the vulnerabilities themselves.
Is a vulnerability that causes FireFox to crash the same as a vulnerability that automatically installs an ActiveX control? Nope.Yeah. Whatever. How about you do a survey and find out how many FireFox machines have been compromised via FireFox? Huh? How about that?And he has determined that
Seems to me that IE's still being hit by spyware and such crap. Or didn't he mean those attacks?"We sincerely thank the person who killed our daughter because it makes us appreciate our son so much more now." Does that make sense to anyone?Hmmmm, Symantec sells anti-virus software and the like.
Macs don't seem to be having massive virus/trojan/worm problems.
Something doesn't look right.When "emerging" becomes "successfully attacked and cracked" it will become an issue. Until then, the "threat" is purely theoretical.Again, it isn't the number of vulnerabilities, it's how they can be exploited.
Yet I keep seeing references the the NUMBER of vulnerabilities announced.#!
cd /
rm -R
Oh my GOD!!! It's a trojan that is designed to exploit the bash shell on LINUX!!!As does my example with regards to bash and Linux.
It isn't whether someone can write a virus/worm/trojan. It's whether they can get such onto your box.Why "away from"?
Aren't they also the top target on the desktop?
How about "As well as the desktop, Microsoft's enterprise apps are targets for attack"?
Nothing but more crap from a vendor who's seeing their gravy train getting ready to leave the station on its last run.
How is this "informative", mods?
The article's point is that as "alternative" (read non-MS) OSs and browsers gain popularity, they will garner proportionately more attention from crackers. The "dream world" they speak of is the notion that certain products are more secure because there are less attacks launched against them.
Not that I agree with TFA, but the point it is trying to make is that because these products have fewer deployments they are a less juicy target for crackers (opportunists). That will change and then we can really see how secure those products are.
Personally, I think they will stand up much better than the article suggests, but we can't really have an accurate picture until the playing field levels a bit.
How long this person has been running a mac has nothing to do with it.
Stack overflow: pid 352258, proc httpd, addr 0x11f7ffff0, pc 0x12000195c Segmentation fault (core dumped)
Already been fixed with Java 1.4.2 release last week. In fact I remember getting that update.
Now I am not saying that Viruses can not exist for mac, but at the same time it would not be easy for it to gain access to the entire system, since the only user that can modify the entire system is disabled by default (root). For years people have been saying "just wait, their will be a virus that affects Macs". Well I am still waiting for it. Sure you could tell people to download someone from a web page that then runs on the system, but thats not a virus. You could also use bonjour to send a file to everyone else on the network, but you would then need to find a way for it to get onto the network. Mail.app does not auto run scripts so you would have to tell a person to download a file (which would have to include a program to send emails via your SMTP server as defined in com.apple.mail.plist, since you can't tell mail to just send out an email, it would also need to include a feature to read your address book in order to send the emails via its own mail feature, and after doing all that you could send out a virus, but by the time you create a program that does all that you would probably be looking at a file at least 300K, and well the most you could really do is rewrite preferences so for example all jpeg images will now open with textedit, and then add itself to the startup group, but it could not add itself to launchd. To get rid of the virus the most you would really need to do is start the computer into safe boot remove the program from startup, and change the preferences it changed (or recreate the files that the "virus" deleted). Until that day comes I will still run my computer without virus protection.
I'm not trying to shift the discussion from OS X, but it's not the only OS with that potential user issue. How often does a Linux user click on a program on their desktop that asks for a password? This is a user education issue, just like the "don't click on files that you weren't expecting" Windows problem. Unfortunately, it's darn-near impossible to protect the user from his/her own stupidity, regardless of the operating system they're on.
"It's too bad stupidity isn't painful." - A. S. LaVey
The Morris Worm in the late '80's was bad enough. It took down UNIX systems all over the world, as a bug in the worm allowed it to replicate on the same machine and destroy the OS. (Morris is now an MIT professor and never served a day in jail. It's nice to have your father be the head of the NSA and able to call in favors, or at least in such an excellent place to control the backlash.)
The vulnerabilities exploited then, (old and unpatched servers, bad passwords, accounts with no passwords, insecure services exposed to the net for no reason whatsoever) certainly exist today and are actually exacerbated by the complexities of doing the most simple tasks with today's wildly overburdened and "feature-filled" servers, running and requiring complex servers for no reason whatsoever. A cracker could do a fairly simple re-write of Morris's worm with a destructive payload on a timer, and could easily take out core systems the world over, even with the enhanced security of UNIX and Linux compared to Windows.
A destructive Windows worm could be far, far worse due to the popular use of no password for Administrator accounts to ease loans of the computer, laptops walking into and out of secured networks with little to no security auditing.
A destructive *BIOS* worm would be even more fun. The systems won't fail until the computer is rebooted, and since a BIOS worm that destroys the ability of a BIOS to install a replacement BIOS would effectively make every system exposed to it a ticking time bomb of support costs, it would decimate the most vulnerable users, those without any competent tech support.
1. No activex
2. Automatic updates
The nightmare IE/windows users have suffered for years is pretty much derived from these two points.
Are these actual advantages or mere myths?
1. Firefox has Extensions. They're installed the same way ActiveX controls are. In theory, they can't be installed from "untrusted sites"; in practice, however, it's entirely too easy to get gullible users to add the sites to their allow list and then ask them to install the software.
To be fair, blocking by default is definitely a good thing -- but IE6 w/ SP2 does the same thing.
2. Firefox's "Automatic" Update functionality is no better than Windows Update. In fact, Firefox's notify-only behavior (showing a small arrow when a new update is available) already takes more work than a completely automatic update process (which Windows Update optionally provides). I would not be surprised if some users never update Firefox because they don't know what the small green arrow means.
Good point about IObjectSafety in SP2. MS has raised the "bar" a bit further up by this, leaving old buggy code behind the bar.
However, if malware ever gets installed and gains admin access, it is quite pointless to defend against it.
Even the new IE7 opt-in system is going to be fooled - but *until* your system is rooted, you are in control of the COM components that can be used against you - and that's the point.
throw new SuccessException("Sig read successfully");
Infected with what?
There are no viruses out in the wild for OSX.
Come on, Mr. Anonymous Coward - if you have proof, then post it!
It is not a brand new IE feature, it is just a set of locked-down default security settings probably too harsh for average home user (a.k.a. 'Enhanced Security Configuration' - you can revert to WinXP default settings in 10 seconds if you want).
:).
This is reasonable on servers, but too restrictive to put that in Vista.
The ability to control (and disable by default) the loadable COM components without the Registry Editor (browsing through 1000's of COM GUIDs) is new in IE7, and that is a welcome improvement
Note: this functionality is NOT covered by the "Manage Add-ons" panel in XP SP2.
throw new SuccessException("Sig read successfully");
I think what is trying to be said is that our computer industry as a whole isn't thinking the correct way when it comes to applications and OS's and hardware level security.
Look at the basic home computer connected to the internet. All ports open. Why was the OS designed this way? Why was the network hardware designed this way? Ease of use over security. Marketing over security. Cost over security.
Why doesn't my computer question allowing an app to run? So the user can be a moron and still use it.
Until just recently, we have been living in a world of "allow all, deny selectivly" when we should have been a little bit more security savvy with "Deny all, allow selectivly"
Everyone in the industry is to blame for this, not just the big security leakers.
When I first replied to jellomizer with what I thought was a reasonably tactful correction of his use of the word "hydrogenous", his signature said something to the effect of "Waiting until I get a root post with +10 Yea!" (paraphrasing).
Well, after I posted my response to him (read it for yourself here, he changed his sig to:
--
Insult me if you feel you must, Ill just mod down your other messages.
Out of curiosity, I checked my user page. Several of my comments in the last couple days have been modded down. Of course, nobody would have any reason to mod them down - they're long since off the first page.
Karma is so ridiculously easy to come by that I wouldn't imagine anyone would care enough to do such a thing. I think this qualifies as the most assinine use of mod points in quite some time. Congratulations, asshat!
I'm a big tall mofo.
Even assuming firefox has as many vulnerabilities as IE, there is still a matter of design that is advantageous to firefox (and detrimental to IE): Firefox is relatively isolated from the rest of the system, while IE is fully integrated. That allows a vulnerability in one part (say IE) to affect others (like Office or Outlook). It's not the first time a vulnerability in IE can be exploited via malicious e-mail. In the case of firefox, most of the damage tends to remain in the same place (firefox). Even if you somehow use firefox applied to incoming mail, a vulnerability would mostly leave the intruder/malware with firefox's capabilities and usually not with the MUA's.
It's just a matter of modular design.
GPG 0x1B479C78
You're not the only one thinking about that. A friend of mine considered the same scenario once. I think it wouldn't be too bad if someone released a killer worm. The insecure machines would be erased, while the properly secured ones would remain.
In fact, it's the standard policy at home: I let my folks do whatever they want with their PC, if it starts acting funny, though, it gets reformatted and reinstalled (with a previous DATA ONLY backup, strictly). I don't let them choose the basic software (mozilla or nothing), and if they install malware I consider that their fault and the above rule is applied.
Eventually they learn to accept the consequences of their mistakes.
GPG 0x1B479C78
So am I, but I don't kid myself the lack of OS X viruses is because of something in the OS making them impossible (or even difficult) to create.
No one thought the Unix systems of yesteryear were so vulnerable. They were. No thinks the Unix systems of today are as vulnerable. They are. In years past it was naive lack of understanding of the basic nature of the user base. These days, naive lack of fear.
I've seen people have that same attitude before someone draws down and leaves them a crumpled mess on a bar rooom floor. It didn't help them and doesn't help the OSX, BSD, and Linux crowd. You cannot underestimate the danger of the average users' whimsy and inexperience, the truly committed crackers, and the legions of script kiddies who learn their tools from the first two. It isn't Windows that is insecure and dangerous. Windows does nothing it isn't told to by people stupid enough to tell it so by accident or on purpose.
The future is pointed at self-contained encrypted containers of both interpreted and compiled code objects flitting about the global net and this future will be embraced by Microsoft and the only way that Microsoft will not entirely control it is if the major vendors arrayed against them co-opt the paradigm with standards themselves. The law of unintended consequences being what it is, there is no way that the non-MS community can say credibly that the sheer combinatoric explosion of possibilities for system interaction in this future will not affect them, no matter what their safeguards. It's like trying to guess the outcome of a mating based on a glimpse of a few genes of one parent.
Assume the worst or the worst will happen to you. Hold true in survival on the streets, in the jungle, or on the Internet. Blowing off the very idea is foolhardy in the extreme. The only option for Linux for its part to avoid it is to remain a sado-masochistic wrong and hard is better than right and easy platform which scares away the average user. In that case, Microsoft's hegemony is assured simply through the incompetence of their opponents, not that it isn't close to that already.
If my grammar and spelling are off, I am [distracted/tired/careless] (take your pick)
I suspect it is for one of two reasons: Either doing physical damage to the PC (BIOS/MBR wipes) isn't that easy; or the machines are better protected than we think. Many people have hardware firewalls as part of their home routers. AOL can't be trusted to pass any packets..
Out of the hundreds of millions of computer users out there, now many actually know how to check the checksum on a file? Now, out of THOSE few people, how many bother to checksums on all of those files before installing them?
.....Mac users are so used to typing in that password that if an installation ask for it the user automatically types it in.....
That assumes the Mac user knows the admin password. In a business or school environment the password could be kept only by a few administrators and in a home the parents could keep it. Everybody else is just an ordinary user and the computer is therefore safe from any attack that needs adminsistrator access.
In Windows that is much harder and often impossible to do, because so much software for mostly stupid reasons will not run correctly if the user is not an adminsitrator.
Restricting users like this would go a long way to reducing the spread of malware. Only those clueless computer users that are running as as adminsitrators could be affected if they type in their password after they have downloaded something from the Internet.
Unlike Windows, there are NO known exploits that can come over the Internet that DON'T require some action on the part of a user. If the action involves an unknown admin password, then that stops the nast stuff right then and there.
All theory is gray
obvious sarcasm
But sounds about right for slashdot modding lately.
I usually waste 2 or 3 mod points when they run out I guess maybe some people just use them up randomly.
....With a 3% market share,.....
That is such an old saw which sounds like a broken record. If I had the money, I'd offer $100K to the first person that can infect a standard OSX Mac over the Internet with a self-replicating, spreading malware without requiring user interaction such as entering a password. That also goes for turning such a Mac into a remotely controlled zombie. In business and schools as well as in many homes, the admin passwords could be kept away from most users.
There are uncountable Windows malwares that require nothing more than having the stock, running computer connected to the Internet. I know of no such thing for Macs. Surely there must be hackers out there who would love to be able to brag that they were the first to come up with a nasty worm/virus that hoses milions or at least thousands of unprotected Macs.
Anti virus companies, such as Symantec of course fear that if the Macs did get a huge market share, their business which depends on all the MS security lapes, would nosedive. This is why they are putting out increasing amounts of fear propaganda to try to dissuade folks from switching to Macs because they are much more secure.
All theory is gray
The only problem I've had with my Mac came, surprisingly, not from some unknown and undiscovered internet vulnerability, but from Symantic.
That would be the "Norton Utilities" for Mac OS X they wrote and sold, that corrupts your hard drive because Symantic didn't bother to figure out how our filesystem works. Wonderful. I had to buy Diskwarrior to sort it out.
If you go to the Amazon page for the Norton Utilities they sold, it's still there, but along with the dozens of one-star reviews, there is a suggestion that Symantic has quietly stopped shipping it.
It will be a long time before Mac users trust Symantic again.
Protect your liberties. Donate to the ACLU
with the limited features of applescript
Yes, with such limited functionality as "do shell script", "run application", "write (file)", and "open url"...not to mention complete user-level control of most running apps (such as, say, Mail)...I really can't imagine how someone would pull off anything malicious.
When are we ever going to have adequate security? The term adequate is subjective. An unpatched, unfirewalled, virgin copy of WinXP could be adequate for any novice user, on the other hand, some would argue a computer with no external drives, nothing on the hard disks, locked inside of an Iresali safe, with welded chains on the outside, then sent into orbit in the outer parts of our solar system is still not secure!
There will never be adequate security. This is for one small reason. There is no such thing as a pefect system. The more advanced they become, the higher our standards will get. Adequate security is relative to our standards, thus is subjective.
Do what I say, cuz I said it.
-Meatwad
You don't run as admin in OSX all the time. You do all the administrative tasks the sudo way..
If someone can palm a manipulated programm off on you, he can also give you a false checksum to match.
Lars T.
To the guy who modded me down from perfect to terrible Karma - Apple haters still suck
With a 0.00...% marketshare, users for Win64's first public beta had to wait how long for the first virus?
Lars T.
To the guy who modded me down from perfect to terrible Karma - Apple haters still suck
>and in a home the parents could keep it.
I thought the goal was to prevent the installation of malware...
In Windows that is much harder and often impossible to do, because so much software for mostly stupid reasons will not run correctly if the user is not an adminsitrator.
What software run in a school/business environment needs to be run as an administrator? Stop spreading FUD.
Restricting users like this would go a long way to reducing the spread of malware
You can restrict users like that. They're called group policies.
Unlike Windows, there are NO known exploits that can come over the Internet that DON'T require some action on the part of a user.
False. Dude, do your damn research. I just looked over Apple's advisories for the first time and I quickly found a DHCP vuln that allows you full access to the file system just using the DHCP protocol. No user intervention required.
The only way you can even come close to calling this FUD is by rescoping the problem to school/business. Half the games my kids get for Christmas can't run without admin privs. It's why my kids have administrative accounts even though I'd originally set them up as unprivledged users.
Never had that problem when they were on the Mac ... too bad only the elementary school games run on Macs ...