Slashdot Mirror
Computer Security Still Totally Inadequate
Several news sources are running articles detailing the lack of computer security on all platforms. Symantec foretells a dark future for Firefox and Mac users describing their security as a "false paradise". Kernel developer and Red Hat fellow, Allan Cox stated in his recent interview with O'Reilly that "even the best systems today are totally inadequate". He goes on to say that "We are still in a world where an attack like the Slammer worm, combined with a PC BIOS eraser or disk locking tool, could wipe out half the PCs exposed to the Internet in a few hours," Cox said. "In a sense we are fortunate that most attackers want to control and use systems they attack rather than destroy them."
I've been an OSX user for nearly 5 years. Still waiting...
Kiteboarding Gear Mention slashdot and get 10% off!
1. No activex
2. Automatic updates
The nightmare IE/windows users have suffered for years is pretty much derived from these two points.
BTW, gotta love how the IE guys are adding a "new" feature to IE7:
Building on the security features released at beta 1, upcoming new features will include ActiveX Opt-in: To reduce the attack surface and give users more control over the security of their PC, most ActiveX controls (even those already installed on the machine) will be disabled by default for users browsing the Internet
I already can read the press: "IE7, with new ActiveX Opt-IN technology which protects you from the threats of the Internets"
it's amazing how they're trying to get rid of one of their major security mistakes by converting it in marketing crap. "IE7 adds activex opt-in". No, IE7 doesn't "add" that feature. It just removes/limites a already existing feature
One of the links appears to be new. The other was posted like a week ago. Since the 'editors' don't actually read the site, why don't they just have a short script which checks whether the same link has been posted in another story. That would really cut down on the dupes, and wouldn't take long to implement.
I have been happily living in a "false paradise" since 1984 using Macs.
P.S. Fair disclosure I was laid off by Symantec when they bought Fifth Generation Systems in the early 90s.
Strange women lying in ponds distributing swords is no basis for a system of government.
Symantec makes their money by producing an amazingly complex set of tools for patching up a security failure after the fact. It's in tehir interest to convince as many people on as many systems as possible that this is the best way to deal with security problems.
They have been pulling this kind of thing for years, predicting floods of malware on Palms, Pocket PCs, mobile phones, and I'm sure that game consoles and internet connected coffee machines will be next.
I'm glad they're working on the problem, so if it ever happens that Apple pulls a stupid trick like ActiveX they'll be there, but in the meantime more people have lost data due to false positives from antivirus software on these platforms than have lost data to actual viruses... so I'll steer clear and take everything they say about it with a grain of salt.
The sky would be falling but the bad guys don't really want it too.
Seriously, how are we "fortunate" that they only wish to take control over your server and not destroy it? If one of my servers are compromised it's as good as destroyed. If they didn't do it, I will as I wouldn't trust any part of the system. (drives wiped and hardware flashed)
If all the infected machines were erased, there would be no more bots to spam me with e-mail. There would be no more ddos armies either... http://en.wikipedia.org/wiki/Ddos
I don't know the meaning of the word 'don't' - J
It makes me cringe whenever I hear Symantec making these "predictions" about potential attacks on computers.
I have run into *countless* numbers of damaged Windows installations, directly attributable to Symantec's own products. Just last week, I struggled for hours with a customer's XP Home Edition because he was "having problems getting any streaming audio to work properly".
Upon closer examination, the XP firewall was in a corrupt state, refusing to allow connections for his Internet radio stations. I was unable to view the advanced firewall properties, etc. After looking up event log error codes and trying several methods that repaired the problem for some people, it became obvious that I was looking at the result of a botched uninstall of a Symantec Personal Firewall or "Internet Security Suite" product.
Not only can these things happen, but you'll often see computers with errors with the "32-bit subsystem" when going to an MS-DOS command prompt, due to Norton products screwing up system registry settings due to an improper/incomplete uninstall or installation/upgrade.
Furthermore, when their anti-virus and "security suite" products do work properly, they still bring older, slower PCs to their knees in many cases. The "on-demand scanning" feature lags far behind the rest of the system when working with large numbers of small files (extracting a ZIP or the like), causing a window to constantly pop up, informing you to "please wait" while it scans them... And their "activation" process they now require for their AV products in Windows is every bit as bad as Microsoft's XP activation procedures! I remember purchasing a 25-pack of OEM Norton AV licenses last year, only to find that 6 or 7 of the key codes refused to work, claiming they were "used too many times" or the like. (I guess pirates with keygens hit upon them already or something?) Thiis is *not* the type of B.S. you want to fool around with when you're on a client site, getting paid by the hour to fix a virus problem for them!
I won't even go into the disk corruption their "Disk Doctor" for Macintosh did to MANY customers after they upgraded to newer versions of OS X and Symantec didn't keep up with needed changes/patches to the product!
Their company went down the tubes ever since Peter Norton quit coding their products and started getting royalties for having his photo thrown on the front of the packages.
We haven't reached the tipping point yet. The tipping point from "blacklist" to "whitelist". People's computers still trust transmissions unless they are explicitly told not to. After the tipping point, on the other side of whatever puts us into the new track, we'll all accept traffic only from people we know, according to degrees of membership in our validated "web of trust". When an associate's own risk goes up, either through proximity through intermediaries with another associate that's not demonstrated uncompromised, or through failing vulnerability tests, or matching profiles vulnerable to newly identified threats, our systems will quarantine transmissions from them. Tainted info that's interacted with their transmissions will not be depended upon for any writeable operations. All our updated mitigations and responses will be brought to bear on the threat's local extent of transmissions. But the big difference will be that every system's default will be "distrust", and all systems will communicate their trustability as status changes.
This change will be as important to infosystems as was the transformation of life on earth from "prokaryotes", cells without a defined nucleus within a nuclear membrane, into prokaryotes, nucleated cells. Their DNA and other infosystems are compartmentalized from the other machinery of the cell, including those that interact with signal-carrying chemistry from the extracellular environment. That change is the basis for most of life on Earth, for most of the lifetime of the world. The changes in infosystems will likely be as epochal. And until the infodynamic boundary between humans and machines is no longer mediated by non-nervous tissue (like typing fingers and seeing eyes), it will primarily define our machines, as well as ourselves.
--
make install -not war
The problem with the "Kill the host and the virus can't spread" counter-argument is that it assumes one of two goals:
1) You are trying to keep the virus active indefinitely, or...
2) The virus requires a significant amount of time to saturate the population.
If the writer is interested in making a name for himself neither of the two may apply. Some of the recent big-name worms have been able to infect a significant percentage of the vulnerable population in a matter of minutes or hours. This means that after the first 4 hours or so your rate of infection will level off, and you may as well start killing hosts. Which would get the greater publicity, just infecting 3/4ths of the Net, or infecting 2/3rds the Net but permanently killing the machines?
My Aunt who runs OSX knows nothing of viruses, only thing she knows is what she was told "you cant get viruses in MACs, its a Windows issue"
Now lets just say a MAC virus was circulating, and she got it... how would she ever know? That virus would reside on her machine forever!
Same goes for Linux "antivirus" programs. All of the so-called Linux antivirus programs scan email and sometimes files for Windows viruses, to keep you from passing them on to poor Windows users. I guess that might come in handy if you were running an email server, and you wanted to keep Windows viruses out of the email. But they don't do jack for Linux itself. In fact, the whole concept of a "virus" in Windows doesn't work in a *nix environment. The closest thing I can think of is a worm, but you have to be running a specific vulnerable version of a service (and even then, that service has to have privileges that would enable an exploit to do something consequential to the system) for that to even be a possibility. "Viruses" as Windows users know them are only possible in the Windows world.
This is why I put my first firewall on my internet connection back in 1995. I re-purposed a tiny old 386 to run Linux, have a network card and connect to a modem. It worked for me until a couple of years ago when I switched to a wireless access point/firewall connected to a cable modem also running Linux, but using even less power and no moving parts.
Behind the firewall I put a few computers and had on demand dial up. The funny thing is that the tiny little 386 running Linux and caching the name server access up sped up my web browsing by at least double, and that was with no web proxy at all. The dialup was just faster on that old linux box than windows 95 on much more powerful hardware.
Total cost? Free. This was old hardware that was dumped by people when they upgraded and 50 feet of excess 10Base2 wire and a few connectors and terminators from work. Don't worry, they got paid back when I built them a multi line fax computer that could forward faxes to our main office, in a week using Linux after no comercial vendor had a comparable product that did what we wanted for any amount of money.
Are you really sure that they are serious about security? Looks like they have some leach like qualities themselves!
A firewall can not protect you from yourself. Turn off what you do not need. Do not use the firewall to do your work.
Any application who's sole job is to pull data from untrusted sources and parse it will be vulnerable to security problems resulting from buggy code. Period. End of sentence.
7 980 6676 31
Ok, so you're acknowledging that Firefox will become suspceptible to malicious websites then? So where's your disagreement?
The "it's not as popular" theory as to the lack of OS X viri and worms has been beaten to death over and over.
And it's still true despite what those inside the RDF say. BTW, it's viruses, not 'viri' or 'virii.' That's how l33t kidd13z spell it.
Simple fact is the difficulty would make the first creator of an OS X virus or worm famous beyond anything another Windows worm would cause
Why would it make them more famous? Because you say it's more difficult? If they did, no one would care. People have made viruses for older versions of Mac OS and no one cared. The funny thing is, the pre-OS X versions had very few viruses due to lack of popularity, despite even Apple admitting it having even less security than windows.
And yet, here we are, five years after the release, and not a single virus or worm that directly affects the operating system. Surprised?
No, why would anyone be surprised that unpopular software hasn't had viruses written for it yet?
Despite that incentive, it has yet to be done.
What incentive? Praise from a tiny number of geeks? Because that's all that would happen, realistically.
A rootkit is being touted as "proof of OS X's insecurity." Give me a break.
Hello. For someone who just mocked others for not knowing about security, you obviously don't know about it yourself. You're basically suggesting that OS X is perfectly secure barring a really stupid user error, which is absurd.
Take a look at a list of past vulnerabilities for OS X and take special note of the REMOTELY EXPLOITABLE ONES, including ones that require no special access to the machine:
http://docs.info.apple.com/article.html?artnum=61
http://docs.info.apple.com/article.html?artnum=30
http://docs.info.apple.com/article.html?artnum=25
For someone who claims to know about security, I am *shocked* that you didn't even bother to check the advisories on Apple's official website. All it takes is a single unpatched machine to spread and that's no different than it is for windows--since windows users are notorious for not patching.
Just a quick look revealed one vulnerability that allows you to gain access to the machine's hard drives via malformed DHCP packets. Another allows you to execute arbitrary code via a quicktime URL.
If you can trick a user to type in their admin password with an application, it doesn't matter if you're running Windows, Linux, BSD, OS X, HP-UX, or Solaris -- you're going to get owned.
WELCOME TO COMPUTER SECURITY, PEOPLE ARE STUPID. That is principle number one. If you thought that security could operate under the assumption that people had common sense, you are sadly mistaken. OS X, l ike all OSes, has vulnerabilities and inevitably there will be many unpatched machines and that can be taken advantage of.
WELCOME TO THE REAL WORLD.
It's the "reasonable use restrictions" part that encompasses too much ground for your average (computer/internet-undereducated) user to adequately cover. They don't understand what is reasonable and what is not.
That said, I have yet to see where these internet security suites make things any better. Every single machine I've had to disinfect for someone in the group above has had anti-virus software installed on it. It didn't seem to keep their machines from being completely compromised.
What's sad to me is that I know other developers and IT professionals who themselves have drunk the kool aid and use these tools religiously. I've sat and shook my head as I've watched their machines crawl, watched them click through ridiculous numbers of allow/deny pop-up windows, watched them pull their hair out wondering why this or that application won't run properly. What's the point in having a computer if you're not allowed to use it?
Education is a wonderful thing. I run no anti-virus software, and limited firewalling, in every computing environment I work in. I've never had a compromised machine, never had one virus, one trojan. Nothing. My brain and resulting discretion is the best security software I could ever ask for.
I'm sorry sandwich! --Brak
Well, I won't disaggree with you on the whole. It in fact mirrors my own thoughts and observations.
I once got a computer virused intentionally. (That was the only Windows virus I ever got, btw, so if anyone wants to start with the canned "Windows has viruses, use Linux instead" answers, spare your breath.) I was installing Windows 2000, had no firewall handy, and thought I'm too lazy to go buy a firewall or go burn Zone Alarm on a CD on someone else's computer. Also, I didn't know yet that I could just activate the built-in poor-man's firewall (yes, you can tell Windows 2000 to not allow incoming connections) to stay safe until I download the updates and a firewall. So, anyway, I thought I'd let it get virused while I download the firewall, then format and reinstall. It's not like 20 minutes extra are a major catastrophe.
So predictably it does catch an RPC buffer-overflow virus while downloading Sygate Personal Firewall. Then I block it from connecting to the network and play with it a little. It got me curious.
You know what was sad? It actually slowed the computer a lot less than Norton. You know what's sadder? Installing Norton and running a full scan didn't catch it anyway. It just slowed down the computer some more.
But still, Symantec isn't _the_ worst. Try McAffee sometime if you're masochistic. Not only it was even less efficient and slower, but also had such gems as:
- needed IE to download its updates, because it used some ActiveX crap, but it was too stupid to just launch IE, then. It launched the default browser, in this case Opera, and then couldn't get itself updated. That sad.
- it was installed on D: but the updates proceeded to install themselves in the default directory on C:. Worse yet, I wasn't just left with just an extra copy on the hard drive, but had two versions running in RAM at the same time.
- this got even funnier later when I uninstalled it, because one of the two versions remained installed and auto-loaded. I had to edit the registry to stop it. (If you thought only spyware has to be removed that way, McAffee is obviously the counter-example.)
- their "privacy" protection basically did nothing but try to protect me from cookies, including temporary login cookies on web sites. I suddenly couldn't use any sites that required login. Not even in a consistent and predictable way. E.g., Gamespy's Fileplanet got terminally confused and different pages thought that I was logged in and not logged in at the same time.
And so on and so forth. That was a rather non-funny experience.
A polar bear is a cartesian bear after a coordinate transform.
I've used back through System 7, and my experience and understanding has always been that macos releases are substantially more secure than their Windows contemporaries
What planet are you living on? All the previous versions had no file security and no memory protection mechanisms AT ALL. Any program executed on the machine has 100%, uninhibited access to all resources. This is public knowledge.
They're doing it to enleeten themselves in the eyes of their friends, and tainting the relatively-pristine territory of macosx or linux would do that far more than writing Windows Virus #72,927,215.
That's a nice little theory, but it really only goes to show your complete ignorance of how things really work. If that were true, why were viruses so extroadinarily rare for all prior Mac OS versions despite it having no standard patching mechanisms and no built in security? I guess NO ONE CARED.
The potential to write worms for linux has been out in the open for quite a long while too--there are many machines running outdated versions of bind, sendmail, fetchmail, and so forth that could be taken advantage of.
Every so often a new vulnerability will come out for some popular piece of networked *nix software and it will take months or years until most systems are patched. So if your theory were true, why hasn't some hax0r written worms for them? Perhaps it's because a lack of interest.
They get far more praise by infecting many Windows machines than the much smaller number of OS X machines. Ditto for Linux. You don't seem to understand that the 'feat' is about numbers, not about your imagined pristine reptuation of OS X. And they're not actually pristine, they've had tons of vulnerabilities and even exploits, just not many viruses/worms.
Because Apple fixed them.
No, actually, it seems that Apple doesn't even write the majority of that software, so they don't write the fixes for it.
whose user has not gone out of their way to disable updates.
Not gone out of their way? You mean not clicked 'off'?
within a not-bad span of time
I see you turned on the "RDF" option. You really shouldn't preach that as a matter of faith. Apple can only fix it AT BEST, as fast as the authors of the software will fix it.
Software Update runs by default and makes it inconvenient to not maintain current patches.
I'm sorry, but you're under the mistaken impression that everyone wants and does have it running, especially a bad assumption with dial-up users.
You're also under mistaken assumptions about time between discovery and fixing of something, especially since you seem to think it's APPLE fixing bugs, when more often it's not them doing the fixing.
You're making an even worse assumption that the software compromised will be something covered by Apple's automated update system. That's a really, REALLY horrible assumption to make.
For someone who is critical of false security experts, you sure are making yourself look like an even worse one.
While blowing off the idea or possibility of an attack is stupid, your sky is falling routine is just as bad. You're first paragraph makes general assertions without any evidence of truth. Though Unix systems today are vulnerable (what isn't?) that is nothing compared to Windows.
It isn't a "naive lack of fear" to use a system that has more secure foundations and then be happy for it.
On the other hand, waiting for a bad exploit to occur before taking even the most basic precautions is equally absurd. Reactionary security is worthless security. For example, after the Khobar Towers bombing in Dhahran the military mandated a 1,000m standoff. Why? Because they figured that would be the required standoff to have protected from the last attack.
And what was the next attack? Small arms and vehicular assault in Riyadh. Basically, a perimeter rush using multiple, agile components. The 1,000 meter perimeter just went out the window.
Its so easy to stick your head in the sand and claim "all systems are vulnerable, lalala" or "no known remote exploits for mine, all is fine lalala" that the proper middle ground gets lost.
Someone where I work is setting up to secure a lab. They have checked and are looking to use a product that will provide limited capability logins (sounding very similar to OS X's limited user) -- but when I suggested to take the additional precaution of setting the bios password and turning off the ability to boot from anything but the hard drive the response I got was "why go to all that trouble?"
Here you have a sufficient concern to investigate and purchase a product, but no interest in taking the most basic steps to secure the hardware. Security isn't about patching some specific problem (the Windows approach), its about design, concept and approach (which FireFox is attempting, the unix-style operating systems take a stab at). To ignore the efforts in this regard is not just stupid, but counterproductive.
But I have a feeling you either lack any real depth of security understanding or are wearing MS blinders -- just like those poor fools who will wait for armageddon before taking any precaution.
The best thing we could really do for security is to write more software in high-level languages. Fewer holes such as buffer overflows and similar low-level flaws means that code that hasn't been permitted to execute is less likely to execute through loopholes. That combined with decent coding practices and use of OS's that have good built-in security (Unix, Linux, BSD, OSX) would mean a lot.
:)
I rather liked the article a few days ago that suggests allowing no code to execute unless first added to a whitelist. That could annoy users but it'd help a lot. Only, it'd be a real pain in the ass on development machines so we'd have to have a way to turn that feature off.
One major distinction programmers need to get over is the distinction between code and data. Just because data wasn't meant to execute doesn't mean it can't. Just because data isn't Turing complete doesn't mean it isn't a program - structured data such as XML, JPEG, or MP3 files can all be considered programs. It's all dangerous.
At what price learning? At what cost wisdom? The price is a man's peace of mind, and the cost is his life.