Slashdot Mirror
Computer Security Still Totally Inadequate
Several news sources are running articles detailing the lack of computer security on all platforms. Symantec foretells a dark future for Firefox and Mac users describing their security as a "false paradise". Kernel developer and Red Hat fellow, Allan Cox stated in his recent interview with O'Reilly that "even the best systems today are totally inadequate". He goes on to say that "We are still in a world where an attack like the Slammer worm, combined with a PC BIOS eraser or disk locking tool, could wipe out half the PCs exposed to the Internet in a few hours," Cox said. "In a sense we are fortunate that most attackers want to control and use systems they attack rather than destroy them."
No agenda here. Move along.
Note to mods: I'm probably being sarcastic.
I've been an OSX user for nearly 5 years. Still waiting...
Kiteboarding Gear Mention slashdot and get 10% off!
Quite true! If everything was programmed in Java, viruses would move so slow that they would never have a chance to infect a significant # of machines as well as those they attempt to infect would take forever to execute it's evil payload.
Help Brendan pay off his student loans
Comment removed based on user account deletion
With security suites like that you don't need any hackers or viruses. Bloated Symantic software makes your computer unusable and unstable anyway ...
Hmm no. Remember the BIND vulnerability a few years back, that sucked. Back then, most people ran BIND as root in a non chrooted environment. Really, just about all computer security is pretty much useless against anybody with a little determination.
1. No activex
2. Automatic updates
The nightmare IE/windows users have suffered for years is pretty much derived from these two points.
BTW, gotta love how the IE guys are adding a "new" feature to IE7:
Building on the security features released at beta 1, upcoming new features will include ActiveX Opt-in: To reduce the attack surface and give users more control over the security of their PC, most ActiveX controls (even those already installed on the machine) will be disabled by default for users browsing the Internet
I already can read the press: "IE7, with new ActiveX Opt-IN technology which protects you from the threats of the Internets"
it's amazing how they're trying to get rid of one of their major security mistakes by converting it in marketing crap. "IE7 adds activex opt-in". No, IE7 doesn't "add" that feature. It just removes/limites a already existing feature
Is that so? Here's a two'fer
CVE-ID: CAN-2005-2529
Available for: Java 1.4.2
Impact: Malicious system users can gain elevated privileges.
Description: This is specific to the implementation of Java on Mac OS X. The utility used to update Java shared archives is susceptible to a privilege escalation vulnerability from local system users. This update addresses the issue by performing additional clean-up before launching the utility on behalf of unprivileged users. This issue does not affect systems prior to Mac OS X v10.4. Credit to Dino Dai Zovi for reporting this issue.
One of the links appears to be new. The other was posted like a week ago. Since the 'editors' don't actually read the site, why don't they just have a short script which checks whether the same link has been posted in another story. That would really cut down on the dupes, and wouldn't take long to implement.
We are still in a world where an attack like the Slammer worm, combined with a PC BIOS eraser or disk locking tool, could wipe out half the PCs exposed to the Internet in a few hours
Well, actually, I wonder what percentage of PCs are currently infected with malware? I'd guess way more than 50%, and the world hasn't come to an end. Actually, it would probably be a good thing if the hypothetical disk-erasing worm would come along -- it would probably prompt a lot of dumb users to make backups, take some basic security precautions, and maybe consider switching from MS-ware to more secure OSS.
Find free books.
Not good enough he's a kernel developer and Red Hat fellow, now he had to go and add an l to his name?
Try not. Do or do not, there is no try.
-- Dr. Spock, stardate 2822-3.
Nevermind RTFA, did you even read the summary?
"Symantec foretells a dark future for Firefox and Mac users describing their security as a "false paradise"."
I have been happily living in a "false paradise" since 1984 using Macs.
P.S. Fair disclosure I was laid off by Symantec when they bought Fifth Generation Systems in the early 90s.
Strange women lying in ponds distributing swords is no basis for a system of government.
Hydrogenous?
Is English your first language? Or do you make them up as you go along?
"Hydrogenous" Network?!? That would be a network made of hydrogen, wouldn't it? I think the word you're grasping for is "Heterogenous"
I've abandoned my search for truth; now I'm just looking for some useful delusions.
I believe you mean "heterogeneous," consisting of dissimilar elements. The opposite of homogeneous. I won't even touch the rest of your post... where do you come up with this crap?
SecureThe.Net - Practical Resources for Securing Systems
I think advocating for or against a "Hydrogenous" network might cause a flamewar, teehee.
Maybe you were thinking of heterogeneous? or androgynous? Hard to tell because attempting to read a few lines of your post made my face explode. It's 'unpossible' to read your posting.
This is why having a Hydrogenous network and/or having a society where no one platform dominates.
I'm guessing hydrogenous is not the word you were looking for. Assuming of course that you weren't proposing that we base our networks on hydrogen.
I'm going to instead assume you meant heterogeneous which is something often proposed on Slashdot and grants the proposer instant karma as people rush to mod them up.
The only problem is having a hetereogeneous environment increases your support costs whether you have a security incursion or not. How many people are security experts in Mac, Windows, Linux, BSD, Solaris, FreeBSD and CPM? Not many. Which means that for every environment your IT staff supports, you need additional admins.
I'm a big tall mofo.
Symantec makes their money by producing an amazingly complex set of tools for patching up a security failure after the fact. It's in tehir interest to convince as many people on as many systems as possible that this is the best way to deal with security problems.
They have been pulling this kind of thing for years, predicting floods of malware on Palms, Pocket PCs, mobile phones, and I'm sure that game consoles and internet connected coffee machines will be next.
I'm glad they're working on the problem, so if it ever happens that Apple pulls a stupid trick like ActiveX they'll be there, but in the meantime more people have lost data due to false positives from antivirus software on these platforms than have lost data to actual viruses... so I'll steer clear and take everything they say about it with a grain of salt.
Our most effective viruses will be the ones that allow the system to live long enough to spread the virus, and as soon as it can't spread it anymore, or the rate of infection drops below a certain level, the self destruct button can be hit. Allowing maximum transfer, and then maximum destruction.
In the time between these two phases human interference should be able to pick up the CPU/network drain. (Or perhaps a software developer can make a program that realises when cpu usage + network activity is uncontrolled.)
According to Symantec, this is an enormous untapped market for them since we are all very attractive targets and living in a security dream world. And those products, particularly for Linux, are where exactly? Actions speak louder than words, and if Symantec really thought there was an enormous threat here, they would be pushing out products to address it, because that is what companies that want to maximize profit do. Instead, of products, they produce press releases. Once Microsoft's lapdog, always Microsoft's lapdog I guess, even after they have decided to have you put down.
Oh, never mind.
If it was a false paradise it would come with a tropical island, Nicole Kidman and bathtub full of champagne.
That's our life, the big wheel of shit. - The Fat Man, Blue Tango Salvage
The sky would be falling but the bad guys don't really want it too.
Seriously, how are we "fortunate" that they only wish to take control over your server and not destroy it? If one of my servers are compromised it's as good as destroyed. If they didn't do it, I will as I wouldn't trust any part of the system. (drives wiped and hardware flashed)
I think I'd rather exist in a false paradise than a certifiable hell.
Yes... [clears throat] ahem... The exports of Libya are numerous in amount. One thing they export is corn, or as the Indians call it, "maize". Another famous Indian was "Crazy Horse". In conclusion, Libya is a land of contrast. Thank you.
sig
Well, I bought Norton for mac and when I ran it, it said:
"Updating Virii Signatures......"
"0 Signatures updated, there are no virii for mac you idiot"
Can I return it?
It doesn't even matter how secure your "system" is, stupid users will always break the system and allow infections.
Where I live, there was a huge scandal about some company that sent other companies "demo discs" which the employees at the other company obviously ran, trusting some random company. This caused a trojan/backdoor to be installed, eventually costing the companies a lot of data which was viewed by their competitors.
Even in the army, they have a network completely (physically) disconnected from the public internet, with very strict rules on what's allowed to move inside and usually everything is ok. One time there was a large outbreak of a virus, obviously it was disconnected from the outside, but still an outbreak.
The source? A high ranked officer thought he's above the rules and connected his infected laptop to the inside network.
No matter how strong are your means of security, stupidity will always prevail.
^_^
Yet further proof that almost all "security professionals" have about as much intelligence as a gnat.
... please. The "it's not as popular" theory as to the lack of OS X viri and worms has been beaten to death over and over. Simple fact is the difficulty would make the first creator of an OS X virus or worm famous beyond anything another Windows worm would cause -- even if the spread wouldn't be nearly as bad. And yet, here we are, five years after the release, and not a single virus or worm that directly affects the operating system. Surprised?
I'm really tired of mediocre systems guys passing a CISSP exam (thousand miles wide, quarter inch deep) and being declared experts on securing things they don't even understand to begin with.
For one, quantative analysis of the numbers of vulnerabilities doesn't equate to determining if a system is more or less secure than another. It's also meaningless if you don't compare how the systems are configured in what kinds of environments. Even simple things like Linksys routers greatly contribute to additional security on a personal computer (Windows or otherwise).
From the article: "Symantec chronicled 1,862 new vulnerabilities during 1H2005 - an average of 10 new flaws a day - 73 per cent of which it categorises as easily exploitable. The time between the disclosure of a vulnerability and the release of an associated exploit was just six days. Half (59 per cent) of vulnerabilities were associated with web application technologies."
Can anyone tell me where in that statement is a shred of useful, meaningful information? Of course not. Because there is none.
Insofar as Firefox and and OS X being "in for surprises." Sure, Firefox is an evolving application, bugs will be introduced and squashed, and later on more will be introduced. Some of those will be security vulnerabilities. Any application who's sole job is to pull data from untrusted sources and parse it will be vulnerable to security problems resulting from buggy code. Period. End of sentence.
OS X
Despite that incentive, it has yet to be done. A rootkit is being touted as "proof of OS X's insecurity." Give me a break. If you can trick a user to type in their admin password with an application, it doesn't matter if you're running Windows, Linux, BSD, OS X, HP-UX, or Solaris -- you're going to get owned.
Jesus, I hate security people. I just want to choke them.
Saying that Java is nice because it works on all OS's is like saying that anal sex is nice because it works on all genders
In other news, fans of anal sex everywhere protest the comparison to Java.
Symantec foretells a dark future for Firefox and Mac users...
Whew, good thing I'm running IE 5.5 and Windows 98.
If all the infected machines were erased, there would be no more bots to spam me with e-mail. There would be no more ddos armies either... http://en.wikipedia.org/wiki/Ddos
I don't know the meaning of the word 'don't' - J
It should come as no surprise that computer viruses and worms tend to aim for control rather than destruction. This exactly parallels what happens with biological viruses and worms. A virus that destroys its host cannot propogate very far before becoming extinct. Viruses that damage their host but leave it good enough condition to continue transmitting it to other hosts are much more successful. The most successful viruses of all are those that go largely undetected and manage to spread to a majority of the population (think of sexually-transmitted diseases such as HPV).
It makes me cringe whenever I hear Symantec making these "predictions" about potential attacks on computers.
I have run into *countless* numbers of damaged Windows installations, directly attributable to Symantec's own products. Just last week, I struggled for hours with a customer's XP Home Edition because he was "having problems getting any streaming audio to work properly".
Upon closer examination, the XP firewall was in a corrupt state, refusing to allow connections for his Internet radio stations. I was unable to view the advanced firewall properties, etc. After looking up event log error codes and trying several methods that repaired the problem for some people, it became obvious that I was looking at the result of a botched uninstall of a Symantec Personal Firewall or "Internet Security Suite" product.
Not only can these things happen, but you'll often see computers with errors with the "32-bit subsystem" when going to an MS-DOS command prompt, due to Norton products screwing up system registry settings due to an improper/incomplete uninstall or installation/upgrade.
Furthermore, when their anti-virus and "security suite" products do work properly, they still bring older, slower PCs to their knees in many cases. The "on-demand scanning" feature lags far behind the rest of the system when working with large numbers of small files (extracting a ZIP or the like), causing a window to constantly pop up, informing you to "please wait" while it scans them... And their "activation" process they now require for their AV products in Windows is every bit as bad as Microsoft's XP activation procedures! I remember purchasing a 25-pack of OEM Norton AV licenses last year, only to find that 6 or 7 of the key codes refused to work, claiming they were "used too many times" or the like. (I guess pirates with keygens hit upon them already or something?) Thiis is *not* the type of B.S. you want to fool around with when you're on a client site, getting paid by the hour to fix a virus problem for them!
I won't even go into the disk corruption their "Disk Doctor" for Macintosh did to MANY customers after they upgraded to newer versions of OS X and Symantec didn't keep up with needed changes/patches to the product!
Their company went down the tubes ever since Peter Norton quit coding their products and started getting royalties for having his photo thrown on the front of the packages.
Symantec is publishing a self serving press release full of intentional lies as a news item, and idiot news outlets like the Register are publishing it without criticism.
Shame on both!
How about reporting:
"Symantic issued an official sensationist panic warning to Mac users who have not bought their product. It is unclear how Symantec's products will secure the Mac platform from exploits, since they do nothing to secure a system from a user with physical access. The company may also consider selling volcano insurance and eating babies"
From the actual Register story:
"While the number of vendor-confirmed vulnerabilities in OS X has remained relatively constant during the last two reporting periods [12 months], Symantec predicts this could change in the future. Symantec's analysis on a rootkit (OSX/Weapox) reveals it is designed to take advantage of OS X. This particular trojan demonstrates that as OS X increases in popularity, so too will the scrutiny it receives from potential attackers."
So Symantec:
- is shy to report that there are no exploited vulnerabilities
- analyzed a OS X root kit and determined it ran on OS X
- thinks the adware/malware market, driven by demand for easy to zombify PCs, is somehow poised to launch specialized attacks on inherently secured systems via non-replicating trojans that require root access to install.
Which is worse, Symantic's bullshit misinformation, or the Register's uncritical dissemination?
From TFA: And that statistic means absolutely nothing. Simply counting the vulnerability ANNOUNCEMENTS does not tell you anything about the vulnerabilities themselves.
Is a vulnerability that causes FireFox to crash the same as a vulnerability that automatically installs an ActiveX control? Nope.Yeah. Whatever. How about you do a survey and find out how many FireFox machines have been compromised via FireFox? Huh? How about that?And he has determined that
Seems to me that IE's still being hit by spyware and such crap. Or didn't he mean those attacks?"We sincerely thank the person who killed our daughter because it makes us appreciate our son so much more now." Does that make sense to anyone?Hmmmm, Symantec sells anti-virus software and the like.
Macs don't seem to be having massive virus/trojan/worm problems.
Something doesn't look right.When "emerging" becomes "successfully attacked and cracked" it will become an issue. Until then, the "threat" is purely theoretical.Again, it isn't the number of vulnerabilities, it's how they can be exploited.
Yet I keep seeing references the the NUMBER of vulnerabilities announced.#!
cd /
rm -R
Oh my GOD!!! It's a trojan that is designed to exploit the bash shell on LINUX!!!As does my example with regards to bash and Linux.
It isn't whether someone can write a virus/worm/trojan. It's whether they can get such onto your box.Why "away from"?
Aren't they also the top target on the desktop?
How about "As well as the desktop, Microsoft's enterprise apps are targets for attack"?
Nothing but more crap from a vendor who's seeing their gravy train getting ready to leave the station on its last run.
This, in fact, should reduce the IE's attack surface several-fold.
.VBS/.JS script stored on the local machine (which is trusted to do anything anyway), yet a lot of MS and third-party components is in CATID_SafeForScripting for no reason at all.
n /fq99-032.mspx n /fq99-037.mspx n /MS02-055.mspx n /MS02-065.mspx n /ms02-055.asp n /ms03-038.asp n /MS03-038.mspx e chnet/security/bulletin/MS03-038.asp
... and many-many-many more of these holes (just search for "kill bit" with the quotes)
MS has made a huge mistake when IE 4.x-6.x relied on CATID_SafeForScripting/CATID_SafeForInitializing COM component categories to make decisions whether it's safe to use the COM component from a JavaScript/VBScript.
CATID_SafeForScripting is not needed when the COM component is accessed from a stand-alone
IE has a kill bit feature which allows disabling certain scriptable COM components based on their GUIDs. And most IE security fixes are, in fact, just registry updates adding more of those "kill bits".
Examples: http://www.microsoft.com/technet/security/bulleti
http://www.microsoft.com/technet/security/bulleti
http://www.microsoft.com/technet/security/Bulleti
http://www.microsoft.com/technet/security/Bulleti
http://www.microsoft.com/technet/security/bulleti
http://www.microsoft.com/technet/security/bulleti
http://www.microsoft.com/technet/security/Bulleti
http://www.microsoft.com/technet/treeview/?url=/t
throw new SuccessException("Sig read successfully");
We haven't reached the tipping point yet. The tipping point from "blacklist" to "whitelist". People's computers still trust transmissions unless they are explicitly told not to. After the tipping point, on the other side of whatever puts us into the new track, we'll all accept traffic only from people we know, according to degrees of membership in our validated "web of trust". When an associate's own risk goes up, either through proximity through intermediaries with another associate that's not demonstrated uncompromised, or through failing vulnerability tests, or matching profiles vulnerable to newly identified threats, our systems will quarantine transmissions from them. Tainted info that's interacted with their transmissions will not be depended upon for any writeable operations. All our updated mitigations and responses will be brought to bear on the threat's local extent of transmissions. But the big difference will be that every system's default will be "distrust", and all systems will communicate their trustability as status changes.
This change will be as important to infosystems as was the transformation of life on earth from "prokaryotes", cells without a defined nucleus within a nuclear membrane, into prokaryotes, nucleated cells. Their DNA and other infosystems are compartmentalized from the other machinery of the cell, including those that interact with signal-carrying chemistry from the extracellular environment. That change is the basis for most of life on Earth, for most of the lifetime of the world. The changes in infosystems will likely be as epochal. And until the infodynamic boundary between humans and machines is no longer mediated by non-nervous tissue (like typing fingers and seeing eyes), it will primarily define our machines, as well as ourselves.
--
make install -not war
Already been fixed with Java 1.4.2 release last week. In fact I remember getting that update.
Now I am not saying that Viruses can not exist for mac, but at the same time it would not be easy for it to gain access to the entire system, since the only user that can modify the entire system is disabled by default (root). For years people have been saying "just wait, their will be a virus that affects Macs". Well I am still waiting for it. Sure you could tell people to download someone from a web page that then runs on the system, but thats not a virus. You could also use bonjour to send a file to everyone else on the network, but you would then need to find a way for it to get onto the network. Mail.app does not auto run scripts so you would have to tell a person to download a file (which would have to include a program to send emails via your SMTP server as defined in com.apple.mail.plist, since you can't tell mail to just send out an email, it would also need to include a feature to read your address book in order to send the emails via its own mail feature, and after doing all that you could send out a virus, but by the time you create a program that does all that you would probably be looking at a file at least 300K, and well the most you could really do is rewrite preferences so for example all jpeg images will now open with textedit, and then add itself to the startup group, but it could not add itself to launchd. To get rid of the virus the most you would really need to do is start the computer into safe boot remove the program from startup, and change the preferences it changed (or recreate the files that the "virus" deleted). Until that day comes I will still run my computer without virus protection.
What's it going to be like when all of China is wired?
Quite frankly I'm thinking something like the opening sequence of XenoGears, with the mass tentacles of spam reaching out to engluf us all, and the scrolling messages of "And Ye Shall Be As Gods" replaced by countless repititions of "Make Money Fast", "Strong Erections", "FREE!!!!!" and the like.
I'd like to play the part of the captain, giving a faint smile as I detonate the self destruct. Gods know it'll be better than the alternative.
May the Maths Be with you!
First I saw them talking about Mac... then I thought well - it's BSD based now, which has been around practically forever.
... not "hack into" and "gain")
Then I saw them mention a root kit for OSX and wondered to myself what good that would do without actually having a way to gain control in the first place.
(See definition of rootkit from wikipedia: "A root kit is a set of tools used by an intruder after cracking a computer system. These tools can help the attacker maintain his or her access to the system and use it for malicious purposes."
Note the words "after cracking" and "maintain"
Sounds like a bunch of malarky disguised as solid information to scare people who aren't aware of more advanced computer concepts.
4. Watch as theives take your computer because you forgot to close the safe door.
Rod Taylor
When I first replied to jellomizer with what I thought was a reasonably tactful correction of his use of the word "hydrogenous", his signature said something to the effect of "Waiting until I get a root post with +10 Yea!" (paraphrasing).
Well, after I posted my response to him (read it for yourself here, he changed his sig to:
--
Insult me if you feel you must, Ill just mod down your other messages.
Out of curiosity, I checked my user page. Several of my comments in the last couple days have been modded down. Of course, nobody would have any reason to mod them down - they're long since off the first page.
Karma is so ridiculously easy to come by that I wouldn't imagine anyone would care enough to do such a thing. I think this qualifies as the most assinine use of mod points in quite some time. Congratulations, asshat!
I'm a big tall mofo.
Even assuming firefox has as many vulnerabilities as IE, there is still a matter of design that is advantageous to firefox (and detrimental to IE): Firefox is relatively isolated from the rest of the system, while IE is fully integrated. That allows a vulnerability in one part (say IE) to affect others (like Office or Outlook). It's not the first time a vulnerability in IE can be exploited via malicious e-mail. In the case of firefox, most of the damage tends to remain in the same place (firefox). Even if you somehow use firefox applied to incoming mail, a vulnerability would mostly leave the intruder/malware with firefox's capabilities and usually not with the MUA's.
It's just a matter of modular design.
GPG 0x1B479C78
I secured an old laptop of mine recently, now I fear no viruses, worms, spyware, adware, or anything any cracker wields! Haven't had a single problem since. It was easy. I took out its networking card.
And that, my liege, is how we know the Earth to be bannana-shaped.
No one thought the Unix systems of yesteryear were so vulnerable. They were. No thinks the Unix systems of today are as vulnerable. They are. In years past it was naive lack of understanding of the basic nature of the user base. These days, naive lack of fear.
I've seen people have that same attitude before someone draws down and leaves them a crumpled mess on a bar rooom floor. It didn't help them and doesn't help the OSX, BSD, and Linux crowd. You cannot underestimate the danger of the average users' whimsy and inexperience, the truly committed crackers, and the legions of script kiddies who learn their tools from the first two. It isn't Windows that is insecure and dangerous. Windows does nothing it isn't told to by people stupid enough to tell it so by accident or on purpose.
The future is pointed at self-contained encrypted containers of both interpreted and compiled code objects flitting about the global net and this future will be embraced by Microsoft and the only way that Microsoft will not entirely control it is if the major vendors arrayed against them co-opt the paradigm with standards themselves. The law of unintended consequences being what it is, there is no way that the non-MS community can say credibly that the sheer combinatoric explosion of possibilities for system interaction in this future will not affect them, no matter what their safeguards. It's like trying to guess the outcome of a mating based on a glimpse of a few genes of one parent.
Assume the worst or the worst will happen to you. Hold true in survival on the streets, in the jungle, or on the Internet. Blowing off the very idea is foolhardy in the extreme. The only option for Linux for its part to avoid it is to remain a sado-masochistic wrong and hard is better than right and easy platform which scares away the average user. In that case, Microsoft's hegemony is assured simply through the incompetence of their opponents, not that it isn't close to that already.
If my grammar and spelling are off, I am [distracted/tired/careless] (take your pick)
I suspect it is for one of two reasons: Either doing physical damage to the PC (BIOS/MBR wipes) isn't that easy; or the machines are better protected than we think. Many people have hardware firewalls as part of their home routers. AOL can't be trusted to pass any packets..
obvious sarcasm
But sounds about right for slashdot modding lately.
I usually waste 2 or 3 mod points when they run out I guess maybe some people just use them up randomly.
The only problem I've had with my Mac came, surprisingly, not from some unknown and undiscovered internet vulnerability, but from Symantic.
That would be the "Norton Utilities" for Mac OS X they wrote and sold, that corrupts your hard drive because Symantic didn't bother to figure out how our filesystem works. Wonderful. I had to buy Diskwarrior to sort it out.
If you go to the Amazon page for the Norton Utilities they sold, it's still there, but along with the dozens of one-star reviews, there is a suggestion that Symantic has quietly stopped shipping it.
It will be a long time before Mac users trust Symantic again.
Protect your liberties. Donate to the ACLU
with the limited features of applescript
Yes, with such limited functionality as "do shell script", "run application", "write (file)", and "open url"...not to mention complete user-level control of most running apps (such as, say, Mail)...I really can't imagine how someone would pull off anything malicious.
When are we ever going to have adequate security? The term adequate is subjective. An unpatched, unfirewalled, virgin copy of WinXP could be adequate for any novice user, on the other hand, some would argue a computer with no external drives, nothing on the hard disks, locked inside of an Iresali safe, with welded chains on the outside, then sent into orbit in the outer parts of our solar system is still not secure!
There will never be adequate security. This is for one small reason. There is no such thing as a pefect system. The more advanced they become, the higher our standards will get. Adequate security is relative to our standards, thus is subjective.
Do what I say, cuz I said it.
-Meatwad
Well, I won't disaggree with you on the whole. It in fact mirrors my own thoughts and observations.
I once got a computer virused intentionally. (That was the only Windows virus I ever got, btw, so if anyone wants to start with the canned "Windows has viruses, use Linux instead" answers, spare your breath.) I was installing Windows 2000, had no firewall handy, and thought I'm too lazy to go buy a firewall or go burn Zone Alarm on a CD on someone else's computer. Also, I didn't know yet that I could just activate the built-in poor-man's firewall (yes, you can tell Windows 2000 to not allow incoming connections) to stay safe until I download the updates and a firewall. So, anyway, I thought I'd let it get virused while I download the firewall, then format and reinstall. It's not like 20 minutes extra are a major catastrophe.
So predictably it does catch an RPC buffer-overflow virus while downloading Sygate Personal Firewall. Then I block it from connecting to the network and play with it a little. It got me curious.
You know what was sad? It actually slowed the computer a lot less than Norton. You know what's sadder? Installing Norton and running a full scan didn't catch it anyway. It just slowed down the computer some more.
But still, Symantec isn't _the_ worst. Try McAffee sometime if you're masochistic. Not only it was even less efficient and slower, but also had such gems as:
- needed IE to download its updates, because it used some ActiveX crap, but it was too stupid to just launch IE, then. It launched the default browser, in this case Opera, and then couldn't get itself updated. That sad.
- it was installed on D: but the updates proceeded to install themselves in the default directory on C:. Worse yet, I wasn't just left with just an extra copy on the hard drive, but had two versions running in RAM at the same time.
- this got even funnier later when I uninstalled it, because one of the two versions remained installed and auto-loaded. I had to edit the registry to stop it. (If you thought only spyware has to be removed that way, McAffee is obviously the counter-example.)
- their "privacy" protection basically did nothing but try to protect me from cookies, including temporary login cookies on web sites. I suddenly couldn't use any sites that required login. Not even in a consistent and predictable way. E.g., Gamespy's Fileplanet got terminally confused and different pages thought that I was logged in and not logged in at the same time.
And so on and so forth. That was a rather non-funny experience.
A polar bear is a cartesian bear after a coordinate transform.
No, because Java does automatic array bounds checks, which makes normal buffer overflow vulnerabilities impossible - one of the most common kind if security flaw in C apps.
The illegal we do immediately. The unconstitutional takes a little longer.
--Henry Kissinger
And that very same reason, low market share, is why there are so few exploits for IIS and so many more exploits for Apache.
Oh, wait a minute. Reality is the other way around.
While blowing off the idea or possibility of an attack is stupid, your sky is falling routine is just as bad. You're first paragraph makes general assertions without any evidence of truth. Though Unix systems today are vulnerable (what isn't?) that is nothing compared to Windows.
It isn't a "naive lack of fear" to use a system that has more secure foundations and then be happy for it.
On the other hand, waiting for a bad exploit to occur before taking even the most basic precautions is equally absurd. Reactionary security is worthless security. For example, after the Khobar Towers bombing in Dhahran the military mandated a 1,000m standoff. Why? Because they figured that would be the required standoff to have protected from the last attack.
And what was the next attack? Small arms and vehicular assault in Riyadh. Basically, a perimeter rush using multiple, agile components. The 1,000 meter perimeter just went out the window.
Its so easy to stick your head in the sand and claim "all systems are vulnerable, lalala" or "no known remote exploits for mine, all is fine lalala" that the proper middle ground gets lost.
Someone where I work is setting up to secure a lab. They have checked and are looking to use a product that will provide limited capability logins (sounding very similar to OS X's limited user) -- but when I suggested to take the additional precaution of setting the bios password and turning off the ability to boot from anything but the hard drive the response I got was "why go to all that trouble?"
Here you have a sufficient concern to investigate and purchase a product, but no interest in taking the most basic steps to secure the hardware. Security isn't about patching some specific problem (the Windows approach), its about design, concept and approach (which FireFox is attempting, the unix-style operating systems take a stab at). To ignore the efforts in this regard is not just stupid, but counterproductive.
But I have a feeling you either lack any real depth of security understanding or are wearing MS blinders -- just like those poor fools who will wait for armageddon before taking any precaution.