AV Software Isn't Dead, But It's Not Healthy

dasButcher writes "Is a conventional signature-based antivirus technology dead? Trend Micro CEO Eva Chen says no, but more is needed. Her answer: reputational analysis. Not a bad idea, but many have tried and failed to make this type of approach work. We've seen it all before: RBLs, integrity grading, etc. What will make this different? If we're not careful, Trend Micro might give us all a bad Web reputation. "

AV Software Isn't Dead...

...it's just pining for the fjords.

Re:AV Software Isn't Dead...

[Archangel+Michael]

Whoo-hoo-hoo, look who knows so much. It just so happens that your friend here is only MOSTLY dead.

Re:AV Software Isn't Dead...

[phoenixwade]

...it's just pining for the fjords. it's not pinin'! it's passed on! This software is no more! It has ceased to be! it's expired and gone to meet 'is maker! it's a stiff! Bereft of life, it rests in peace! If you hadn't nailed it to the perch it'd be pushing up the daisies! its metabolic processes are now history! it's off the twig! it's kicked the bucket, it's shuffled off its mortal coil, run down the curtain and joined the bleedin' choir invisibile!! THIS IS AN EX-SOFTWARE PRODUCT!!

(I love the opportunity to make a Monty Python Reference! Second only to South Park.... oh, yeah:)

They killed AV Software...... You Bastards!

Re:AV Software Isn't Dead...

[thunderclap]

Hello, Anti! Wakey wakey!. Its your Nine oclock alarm call. HELLO, ANTI. Thump Thump Thump! If anything the amount of decent antivirus product has shrunk again, and Microsoft is no where near it.

The fewer the merrier

[Reverse+Gear]

I sure am not a big security expert, so forgive my n00bish words here.

I don't remember where, but at some point I read somebody, probably a sys-admin, saying that if you really want security then what you need to do is disable all the things you do not need. Not by default to allow everything and then pick the things you do not want, but go the other way around and make the default to not allow anything and then enable the things you need.
I guess this is one of the reasons I like Gentoo so much, I know everything that is installed on the system and I can remove it if I don't like it.
I don't like to install all kinds of things that I do not know what is and do not know if I can trust. The more things I have installed the more vulnerabilities I also have.

One of my friends once ran a version of Windows XP that he had pretty much scraped everything of that didn't need to be there, I think he was a lot more secure than he would have been had he filled his computer with all kinds of AV and anti-malware programs, some of them seem to be causing more problems than they solve anyhow.

Re:The fewer the merrier

And for extra security, disable the things you do need! If you can't use the computer for anything, then THEY can't either.

Re:The fewer the merrier

[truthsearch]

At the last place I worked, the IT department had their own XP distribution for the corporate desktops (ghost script or whatever). They started the process by deleting one DLL at a time and watching what broke. The problem was when my team created some new custom software we'd sometimes come across some fundametal problems because DLLs were missing. And these errors weren't always easy to track down.

Now you might say we'd run into this problem with any operating system. But when using Microsoft development tools on a Microsoft OS, the system makes the assumption that every basic dependancy which is built into the OS is there, which is reasonable. If it isn't things get flaky and hard to debug.

Windows (at least up to XP) simply isn't built for this level of customization. Therefore, if you want security through minimalism, Linux is the better way to go.

Re:The fewer the merrier

[Billly+Gates]

My old man has a dieing windows98 system that he refuses to upgrade. It has a 3dfx vodoo1 card and the whole 9 yards.

Anyway guess how many times he had to reinstall windows98 during the last 6 years? 0!

Yes if you do not actually do anything but browse the web with firefox and occasionally run excel and word you will be fine even with the old win9x codebase.

Linux at least does not have this issue due to the nasty registry entries.

Re:The fewer the merrier

[danpsmith]

One of my friends once ran a version of Windows XP that he had pretty much scraped everything of that didn't need to be there, I think he was a lot more secure than he would have been had he filled his computer with all kinds of AV and anti-malware programs, some of them seem to be causing more problems than they solve anyhow.

I think you are right in this thinking. Windows XP's services that are enabled by default are ludicrous. That's one of the main security problems with XP. What I don't understand is why someone doesn't just allow the computer to start with absolutely no services enabled, and then gradually ramp up to what the computer actually needs, turning services on only as they are needed.

For instance, shutting down a service might make a certain set of USB gadgets might not work. But when you plug the USB device in, Windows itself (or the OS itself) could recognize that the service is needed for the device to function and automatically enable the service. Depending upon how much this costs it could automatically disable the service again if it isn't being utilized by anything else.

Maybe I'm being naive, but that doesn't seem like too much to ask. On really strange services you could prompt for password information in order to ramp up the ability to use them or something. Makes sense to me.

It seems to me that windows has everything enabled by default to be user friendly. But couldn't you do the same thing using this method? Instead of having a bunch of running services running at idle constantly, turn em on when you need em.

Re:The fewer the merrier

[Chacham]

I sure am not a big security expert, so forgive my n00bish words here.

NAUGHTY BOY

Nor Are U Going To Yield Big Obfuscated Yucky acronyms

(It's a silent H...)

Re:The fewer the merrier

[stratjakt]

Gentoo just crapped its pants on me in the middle of an "emerge -uD world", and now the box is borked. Won't boot, not even in single user mode. Reinstallation is a multi-day affair. Fuck that. At least you can flatten and rebuild a windows box in an afternoon.

But boy is it secure, it cant even spawn a tty.

Re:The fewer the merrier

[Reverse+Gear]

Well if you want to reinstall then that I am not going to stop you, but repairing a messed up installation usually isn't that hard if you know a bit about the system or go get a bit of support on the Gentoo Forums.
Just use a bootable CD and chroot into the system and get whatever fails on you fixed.
If it is a hardware failure then that is something totally different and it should not in the first place be blamed on Gentoo (even though compiling can be tough for the HD)

Re:The fewer the merrier

[Intron]

Deleting DLLs is not the right way to "minimize the system". What you want to do is turn off unneeded services, not blow holes in your OS. Linux would fail just as badly if to turn off services you started deleting the contents of /usr/lib instead of disabling daemons in /etc/init.d.

Re:The fewer the merrier

[nospmiS+remoH]

Hey, what a great idea!

Re:The fewer the merrier

> It seems to me that windows has everything enabled by default to be user friendly.
> But couldn't you do the same thing using this method? Instead of having a bunch of
> running services running at idle constantly, turn em on when you need em.

Pardon me, but wouldn't you need a service to manage this functionality? And wouldn't that service be an even greater target for exploit-hunting?

Re:The fewer the merrier

[Tanktalus]

Er...? You've disabled IIS. The OS detects an incoming request on port 80. It enables IIS. Attacker leaves behind malware. IIS goes back down.

Other than that, I like your idea. If, for example, when it detected a service was needed, it popped up a nice dialog box saying something like, "Windows has detected an incoming request on port 80. is currently disabled. Enable? [ ] Don't ask this again. [Yes] [No]". And then, here's an important bit, if no response is detected within 30 seconds, assume "No", and continue. And log this in the system log. Maybe even email it to the user so they see it. (The email wouldn't happen for requests that were marked "Don't ask this again".)

I'm pretty sure a similar concept on Linux could apply - even if there's no user interface, just logging what comes in. In fact, I suspect some people have already set up iptables or ipchains or whatever to do exactly that: log all "intrusion" attempts. With a bit of work, I'm sure that some ports could be emailed (say, by default), with some trivial manner of masking ports (analogous to the "Don't ask this again" from above) to not receive notices about that port anymore. Possibly with netmasks - email me if someone comes in on 443 from 192.168.0.0/255.255.255.0, but not anyone else (ignore https requests from the internet completely).

In fact, I'm pretty sure someone has something like this already ... probably on sourceforge by now ;-)

Re:The fewer the merrier

[pkulak]

So, at first telnet is not enabled, but when a request comes in on port 23 it's turned on? "Turned on by default" doesn't seem any different then having it on to begin with.

Re:The fewer the merrier

[laffer1]

At first, this sounded like a good idea. Consider though that the OS still needs to have code to detect what the USB device is. So windows must see hey i've got a USB mouse or whatever and then load the service for it. That means the service is started later after scripts have time to bork the environment, and many services common on desktops will get triggered eventually anyway. So an attacker or rather his script may have to wait some time to get his malware executed but it will still occur. Since the service is not started early in the boot process, the environment could be tainted as well.

There is a balance between good security and flat out disabling valuable functionality. This balance is why Microsoft made Windows so open to begin with. They didn't see any threat and wanted users to be able to do whatever they wanted. (minus view the source code and customize at that level)

One problem with open source is that we don't have everything users want yet. A typical end user wants to be able to surf, edit photos, read email, IM, listen to music, watch DVDs and run office productivity software. Then you start getting to specialized groups like people who use financial software, play games, develop software, engineering apps, math apps, etc. At the same time, these users expect usb devices, sound cards, tv tuners, printers, and any other thing they plug-in to just work. Some linux distros have this down, but there is no consistency in applications. Many projects actually have to put up translation lists telling the user what the browser, im client and things are called. IE = firefox, MSN = gaim and so on. When you start disabling services, things start to break or become more difficult for the user. It doesn't mean everything should be on (who needs an echo server running).

So your idea may work for a subset of services or kernel modules, but we need other approaches to secure many services. Lets face it the approach may not be right, but trend micro is correct in assuming they need some new tricks. Vista is slightly more secure than previous versions of windows and as such malware authors are going to step up to the new challenge. So detection software must also improve. Its like the transition from telnet to ssh. For awhile, I felt *safe* using ssh because there were so many other targets on a clear channel to attack. As more people migrate to vista, or better systems the type of attacks will change.

Your idea requires validation that loading a service is really necessary and safe.

Re:The fewer the merrier

[brunascle]

I don't remember where, but at some point I read somebody, probably a sys-admin, saying that if you really want security then what you need to do is disable all the things you do not need.

not sure who said it first, but this month's Linux Journal attributed this quote to Marcus Ranum:

that which is not expressly permitted is forbidden

Re:The fewer the merrier

[bendodge]

But when you plug the USB device in, Windows itself (or the OS itself) could recognize that the service is needed for the device to function and automatically enable the service. Just set the service startup type to Manual and it will do that.

Re:The fewer the merrier

[billcopc]

Seriously, what more does the average user do with a computer ? Just because I'm a code monkey, doesn't mean my whole family is too. They're quite happy doing web, email, excel and a few Popcap games. The whole idea of a 4gb operating system to do that is ludicrous.

Re:The fewer the merrier

[sconeu]

I believe that one's from E.B. White's "The Once and Future King" when the Wart goes with the ants.

Re:The fewer the merrier

[BlackEmperor]

I've been using PC's for awhile, since about 1988 and connected to the net since 1994 and I have *never* ever installed any AV software on any of the PC's I have owned. I believe it's simply a scam based on scare tactics.

The only virus I've ever actually seen was the bouncing ball virus, which was a floppy boot sector virus back around 1989/90, and it wasn't on my PC.

I do however today run windows defender on my xp machines, plus firewalls etc... as this *is* important, but AV software? Meh.

Re:The fewer the merrier

[twistedsymphony]

It's quite amazing how uninfected most people's computers are when they get rid of the crap they don't need and start using Firefox & a few extensions. I've got an IBM Thinkpad T20... it's a P3 533MHz, 256MB RAM, 12GB hard drive, 4MB S3 Video.. it's a beast I know.

it had Win98 on it when I got it back in 2000, I put Win2000 on it, and later XP once SP1 came out... after installing XP the DVD drive died... I use it for browsing, streaming media from my desktop, car diagnostics on track days, as well as a navigation system via a USB GPS device. It's got image tuning software for adjusting and tuning the image on my home theater screen. I take it on vacations with me to dump my digital camera data to, as well as manage some of my websites. And I even do a bit of web development on it (Graphics too Pain.net/GIMP run great) when I feel like taking a break from the office and heading to the coffee shop or even just trading in the desk chair for a couch. Since the disc drive died I couldn't install a new OS on it if I wanted to... but I've never had the need. I've stripped out all the crap I don't need in XP, and I run the bare minimum of applications to do what I need to do. I can't remember the last time it locked up on me, nor any other problems, and IIRC it was probably back when I had Win98 or 2000 on there. It runs quick for it's age, it's reliable and consistent.

I'm sure you could get the same kind of reliability using IE but the user needs to be activity diligent in keeping out malware and other internet nasties. FF+Adblock+Flashblock+Noscript does more for most people's computers then even the most advanced AV software on the market. As for the garbage applications that come pre-installed. I swear most computer companies are throwing that crap on there just help bog the system down and make people think they need another upgrade every year. Windows is no better, and Vista pushes new heights on the front of OS's pre-loaded with useless resource wasting garbage.

FWIW I use NOD32 for my AV needs

Re:The fewer the merrier

I'm not an expert, but wouldn't that require there to be services to monitor for when the parent service should be enabled?

Re:The fewer the merrier

[Spleen]

Isn't this like the Mac commercials already?

Vista: A USB device has been detected, would you like to start the USB service? Allow/Deny
PC: Allow

Vista: The USB Device is actually a Camera and a Microphone, Windows would like to enable both devices? Allow/Deny
PC: Allow

Mac: Hey PC, What are you up to?
Vista: Mac would like to talk to you. Allow/Deny
PC-to-Vista: Allow
PC-to-Mac: Installing a camera but Vista is pissing me off..

Re:The fewer the merrier

[Foolhardy]

For one thing, since Win32 doesn't have setuid, it uses a privileged local service for such programs instead. A lot of the services are local only. Something like a device support service would naturally be local only. Of the remotely reachable services that start automatically by default in XP SP2, they either can't be turned off or are indeed on to be convenient.

Windows NT was designed for LANs in which a central authority can control all the computers and ask them for information, so the Local Security Authority service always listens for authorized network requests. The only way to make it unreachable from the network is using a firewall. LSA's design prevents it from being used by unprivileged users, but implementation flaws in it have fueled worms in the past.

In NT4, RPC became a necessary service because certain internal components started using it for local RPC. It's possible to disable the remote transports via the registry. RPC has been the source of multiple vulnerabilities, both on Windows and various UNIXes.

The computer browser is enabled by default to be convenient, and can be helpful any time you're connected to a network. The Server service enables file and printer sharing, and most users expect it to be on. Remote registry goes with the central admin design, but should probably be off. Some sites recommend turning all of these off. They haven't been vulnerable in the past AFAIK.

Lots of services are set to manual and only get started on demand. For example, if you set the Help and Support Center service to manual, it'll only be started when you open the Help and Support Center. Each service has a security descriptor which controls the users that are allowed to start and stop a service: most allow any interactive user to start them. This site has a good overview of services and lists a conservative configuration. It isn't all that far from the Microsoft default config for the automatic starting of network services. Unfortunately, the worst offenders can't really be disabled and most malware gets in via privileged users running arbitrary binaries, not network worms.

Re:The fewer the merrier

Look under Administrative Tools -> Computer Managment -> Services -> Startup Type
You can set the services to startup as Automatic, Manual, Disabled...
That will allow you to have services available without having them running by default, but this doesn't allow one to automagically shut down a service when it's not in use... That would be a nice option.

Re:The fewer the merrier

[SatanicPuppy]

I think what he's getting at is that, for Windows, all of it's libraries have to be in place for it to be a functional system, whereas for linux, many libraries can be removed from the system without compromising functionality.

In the old days, they used to say, "Never install compilers, because if someone cracks your system, then they can use them to generate rootkits, etc." I still here people spouting that line, but the truth is, if they crack your system, they can bring those things in themselves, without much effort...Broadband has made that simple. Same is true with missing libraries...Lot of viruses work by replacing existing libraries with their own hacked versions, so having that library missing in the first place isn't going to make 'em even blink.

I think that trying to make your system less functional in order to limit your exposure when it gets cracked, isn't really the way to go. It's one thing to have one major application per system, and another to try and cut out libraries in the hopes that someone might need them while they're hacking you. One is compartmentalization, the other is pooping where you live.

Re:The fewer the merrier

[SatanicPuppy]

it's = its
here = hear
puppy = tired

Re:The fewer the merrier

[Moofie]

"I know everything that is installed on the system and I can remove it if I don't like it."

How do you know whether to like it or not (from a security perspective, that is)?

Re:The fewer the merrier

[mgblst]

Your IT guys are a bunch of morons. There has been plenty of work done in this, just look up hfslip and reducing windows install size. The trick is to try to understand what each of those dlls do before you delete them, and remove them from the pre-install image. Then remove them from the install script, and they will never be installed.

Can I be the first to say it?

[zappepcs]

We need a new word to deal with this technology:

Webutation; The reputation an entity has, stemming from its web presence.

Re:Can I be the first to say it?

And it would be easier to pronounce for non-English speakers who have trouble with the letter 'R'

Re:Can I be the first to say it?

[jimstapleton]

Ooh, lets patent it! Don't tell the slashdotters though, they might get mad...

*looks around*

*runs*

Re:Can I be the first to say it?

[hal9000(jr)]

Somebody slap zappepcs, please. :)

Re:Can I be the first to say it?

Die, marketdroid.

Re:Can I be the first to say it?

[Digital+Vomit]

I suggest the phrase "online reputation" instead.

I'm esick to ideath of words being made up to describe the same old thing only ONLINE ZOMG!!!1!

Re:Can I be the first to say it?

[DeadChobi]

And then we can coin a new word for the security journal of this era! We'll call them "Webutationlog" or Weblog for short. It'll be brilliant and not at all stupid-sounding!

Re:Can I be the first to say it?

[Xtravar]

Brilliant! Let me have a try!

I'm e-sick to iDeath of WRDZ being webhanced to .Sell morenet of the360 blueSame VoIPOOP.

JAVA!!!

Re:Can I be the first to say it?

Fuck you.

Bad Rep...?

[__aaclcg7560]

If we're not careful, Trend Micro might give us all a bad Web reputation.

Who is Trend Micro and why should I care if they give me "a bad Web reputation"? Considering that this is Slashdot, I'm not sure how someone's Web reputation can get any worse.

Re:Bad Rep...?

[drinkypoo]

Who is Trend Micro and why should I care if they give me "a bad Web reputation"?

Trend Micro is a company that makes a variety of mediocre software that is constantly lauded as being superior to all others by ignoramuses who don't keep up with the modern world.

Among these products, unfortunately, is a system built into various Cisco security appliances. It is used to classify software. For example it is certain that various password sniffing utilities are trojans/malware. I was trying to save the IT department from having to reset my email password but I couldn't download mailpv because they were sure it was a trojan.

As such Trend Micro is already preventing legitimate security tools from being downloaded in businesses around the world...

Re:Bad Rep...?

[drinkypoo]

I can understand why it would be frowned upon, but it is not a trojan, and classifying it as such only confirms to me that Trend is fucking clueless. If they had a separate category of stuff that IT doesn't want you to have, then I would be more understanding. BTW mailpv is not a sniffer, although the same guy does have a sniffer product that does sniff passwords. Which doesn't work, at least in my experience. mailpv only recovers local passwords and it doesn't work on current versions of thunderbird anyway :/

Re:Bad Rep...?

[Daniel+Rutter]

The proper plural is ignorami No it isn't.

Re: AV Software Isn't Dead

AV software?

Why should someone use something else than MPlayer http://www.mplayerhq.hu/ for Audio/Video playback?

Trivial answer!

[VincenzoRomano]

Is a conventional signature-based antivirus technology dead? Trend Micro CEO Eva Chen says no.

If you ask an Oil company whether oil derived fuel engines are dead, they'll answer the same way.

Re:Trivial answer!

Traffic yesterday begs to argue that petroleum powered engines still work...

Reutational analysis roblematic

If eople want to use reutational analysis on this roblem, there's lenty of others I'd ersonally trust over Trend Micro.

Oh the stories I could tell as a former emloyee of this comany. Not only the missing "p" problem; there was the time they used a telephone number as a phishing signature (too bad it was the actual phone number of one of the largest banks in the US--and that all that bank's legitimate email to customers was trashed)--that was one big account they lost the next day. Or what about the time that a bad signature file took down about 80% of PCs in Japan. Or when it turned out that the library that scans for viruses was actually a vulnerability. Or the time...

Soooo glad I don't work for those guys any more.

Re:Reutational analysis roblematic

Link : Missing p problem

Take it from me...

[Spudtrooper]

I said, "Mom, what are you doin'? You'll ruin my rep."
She said, "You're only 16, you don't have a rep yet."

I read it the other way around

[Billly+Gates]

AV software is alive more than ever thanks to crackers on the internet and buffer overflow malware ads on webpages.

PRoblem is the software is not healthy indeed and can screw up a whole system. ITs like their approach to neutralizing a hammer is to encapsulate the whole thing. Every i/o transaction is read and maybe even virtualized.

Does it stop virii? Hell no. I worked help desk at a gaming company which uses the IE sdk for some code on the logon screen. Anyway it wont load if any viruses or keyboard monitoring programs are installing which use the IE sdk. I get many callers saying "WTF. I have norton. What do you mean my system is infected!?". I then clean the system with some cheesy app that is not an antivirus program.

The first 3 rules of computer security.

[khasim]

#1. There is no security without physical security.

#2. Run only what you absolutely need.

#3. Run it with the minimum rights possible.

The reason that Trend Micro's "new" approach will fail is ... rather long. Follow along for a moment.

a. Vulnerability is found and exploit is written.
b. Exploit needs to be distributed.
c. Exploit is distributed via a quick spam flood - they have no protection against this.
d. Exploit is posted on a web site - how do the bad people drive traffic to that site?
e. They use a compromised site. They hide the exploit in a directory that robots.txt says not to scan. Either Trend Micro violated robots.txt or it cannot find the exploit.
f. So Trend Micro will have to violate robots.txt and that behaviour should be noticeable. So the bad guys would hide that file from something that looks like a webcrawler that doesn't respect robots.txt.

And we're back at the beginning.

Re:The first 3 rules of computer security.

[voice_of_all_reason]

#1. There is no security without physical security.

Hire a bodyguard to stand over your ethernet jack, then chase down and beat interlopers with a nightstick? I like the way you think...

Re:The first 3 rules of computer security.

[sjwoo]

I thought the first two rules of computer security go like this:

1) You do not talk about computer security.
2) You do not talk about computer security.

Re:The first 3 rules of computer security.

[shmlco]

You forgot #4. Develop smarter systems.

In particular, outware facing software like mail clients and web browsers and feed-readers should automatically run with minimum rights (no matter what the user's rights) AND be sandboxed or virtualized such that malicious entities and hacks have no where to go.

In addition, any files saved across the boundary are automatically scanned and, if possible, validated. You may not know what some unknown virus signature looks like, but you sure as heck ought to know if an Excel document's format is valid or not. Develop a set of trusted validators for common formats (text, jpg, etc.) and require vendors to create them for their document types.

And layer the OS. Cycle-counters might not like it, but on a desktop system (heck, even on servers) putting rings around core kernel functions makes a lot of sense. Today's systems are fast enough that we can well afford to trade off a percentage point or two for security and stability. Be honest. If out of the box your new 4GHz quad-core computer was 1-2% slower, how would you even know? It would still seem light years faster that the 2Ghz single-core it was replacing.

As far as that goes, run the ENTIRE OS in a virtual layer. We seem to be heading there anyway...

Re:The first 3 rules of computer security.

[wolverine1999]

And it likely would be classified as a bad bot by scripts set up to detect them....

Re:The first 3 rules of computer security.

[OriginalArlen]

You forgot #4. Develop smarter systems.

Already done, thirty-five years ago.

Re:The first 3 rules of computer security.

Yeah and what's this entropy.bin? Random data? Sploit?
How about this thing with signature BZh? bzip2 archive, right? I suppose we have to look inside it to validate it. Oh, but that requires 2700K of RAM and nearly one second to unpack the first block so that you can even determine what it contains.

I also use another kind ending in .cs2. Only problem: there are *no* invalid .cs2 files that are longer than ten bytes.

Re:The first 3 rules of computer security.

[Ungrounded+Lightning]

1) You do not talk about computer security.

That's "security through obscurity" which has been shown to do more than buy you a (very) small amount of time, then fail catastriphically.

Re:The first 3 rules of computer security.

[SatanicPuppy]

If your security won't stand up to public scrutiny, then it isn't really secure...You're gambling on everyone being dumber than you, and they're probably not.

This is why reliance on AV software is dangerous

[Alioth]

Funnily enough, I just wrote about this:

http://slashdot.org/~Alioth/journal/167405 - includes a link to a major study of a piece of malware which went undetected by the AV companies for months.

Or just go to http://www.secureworks.com/research/threats/gozi/ if you don't want to read my crap.

I've personally witnessed two malware infections where the malware arrived up to a week before the AV companies had updated their definitions.

a bigger problem

[JeanBaptiste]

is the ABSOLUTE CRAP that is either norton/symantec or mcaffee.

I'm old enough to remember when both softwares were fantastic, it sucks to see what they have become. They cause more problems than they fix, bloated crapware. And don't even think about trying to un-install them, your better off reformatting and reloading.

rant over.

Re:a bigger problem

[SamMichaels]

licensed/321

Ahh the good 'ole days :)

Re:a bigger problem

[Esion+Modnar]

Try SymNRT. Symantec publishes it to remove their software that is too borked up to uninstall the normal way. Go to www.symantec.com/symnrt.

Re:a bigger problem

[Stevecrox]

Norton Uninstalls? Since when? The only way I know to get Norton off a hard drive is to use big magnets, even then you might need a preist and a cow to sacrifice
 
AV softwares never been any good, my little sister put Norton on her PC because she had a msn Malware problem. Norton caused more hassle and effort than the stupid bonzi buddy add did. Its been 3 months since then and I still haven't actually managed to uninstall norton. I keep deleting files and it keeps downloading them again. My expearence with any anti virus solution is their worse than a virus itself. When I used to fix machines I'd would just goto bullguard's website and work out which virus it was and then install the patch, it was much better than dealing with Bullguards AV application.

Oh I'd like to mention some ancedotal evidence as well, two years ago I moved into my new house we had five computers and each one had a different Anti Virus App on it. BT screwed up and we didn't have a phone line so I unplugged the router, everyone of those AV programs (Norton, Macrappy, F Secure,Bull Guard and Trend) reported 'attacks from outside sources and I saw four of them list external IP address's while Norton and Macrappy did also suggest attacks from internal (192.168) addresses. I found this interesting since every machine at the time was wired only and the router wasn't unpacked.

My Aunt bought a Macrappy subscription a week later Macrappy stopped all outgoing traffic. Phone Macrappy customer support, they tell her to go online and download the latest patch, I had to spend thirty minutes walking a dumb woman through the logical problem of "Macrappy not see internet, your patch you say only available through your autoupdate thing, me not able to get to patch, Whats the virus called so I can find a patch".

They all need to go out of business, if its easy to install and has a good interface then it kills system performance (A AMD64 4400 should not struggle to load Avast/F Secure) if it doesn't kill systemer performance then it burrows itself in like a tick and starts breaking things. The only one I found to be nice to use and not kill system performance was Liveone care but review sites say its definition listing is poor compared to the others and theres no 64bit version.
I'll get to my point now, I use AV software sparingly (Basically whenever I get one free with a new motherboard) in the last ten years online I've caught 1 virus and that wasn't because of the web (tip to 14 yr olds, when backing up a virus'd machine DON'T put the files on your machine before you run a AV app)Sure I'm behind a firewall but its nothing speacial I just don't open spam, read everything before I say 'Install' and this is the big one DON'T GOTO PORN SITES, I realise this is slashdot but still. I'm not saying I don't get Malware or Spyware but then Spybot is actually a great little application.

Re:a bigger problem

[Kaitnieks]

Thankfuly there is one good still left, but that's because it's newer than Norton and Macaffee. The wonder-AV I'm talking about is NOD32.

Re:a bigger problem

I only trust Kaspersky .. best features, best detection.
It's a shame it isn't carried on most store shelves.
Beware the Mafia of the AV Companies!

Botnet

[daeg]

So to defend against botnets, Trend Micro will make a massive spidering botnet capable of indexing and cataloging 100 million domains. If Morissette were available, I'd quiz her if this situation qualifies as ironic.

So help me if they don't honor robots.txt.

You have to trust something

[starseeker]

At a certain point, networking requires trust in order to realise it's potential benefits. Open source wouldn't work if everyone had to read every line of source code before running a program, so various organizations and projects develop trust and reputations. We know Debian, Fedora, Gentoo, etc. are OK and can proceed to use them with minimal trouble. A brand new Linux distribution must climb that hill, in addition to providing sufficient incentive for people to find out if they can be trusted. That's tough.

The anonymous nature of the web is what allows things like virus writers to succeed - if they couldn't hide, they wouldn't assume the responsibility for what they're doing (well OK a few nut cases would, but the same is true in real life.) However, forcing unique identities on people opens up a host of other problems, some of them more serious than the ones we have today.

So we must operate in the twilight world of making networks which cannot be successfully attacked by bad actors. There are a wide variety of intermediate solutions, like today's anti-spam techniques, wikipedia's system and even slashdot's own moderation system. But none are perfect and none can be perfect - the problem is not solvable in general. Open source actually helps this in one major way - the community controls that operate in the real world to keep human social systems functional also operate (to some degree) in small scale projects. There the individual traits of interested parties become known over time, and recognition and trust can be built up based on more than just a name or email address. It is not perfectly robust, but then no system to date has been.

Virus problems will continue as long as there are people wanting to write viruses, as they are simply an electronic version of spray painting walls, defacing monuments, or other useless and harmful activities that have persisted since the beginnings of civilization. We must rely on community, the most robust tools we can devise, and (finally) building our own web of trust based on things we have found to work. These issues are fundamental to the human condition and (like all social problems) cannot be resolved by technology. The fact that spam emails can be identified at all, for example, is really just an indication of the lack of skill of spam writers. Likewise, someone really wanting to distribute a virus can just make a freeware program that actually does something real and useful long enough to build a reputation, and then when it is widely distributed trashes every system it is installed on. There are always ways to attack a target, if enough effort is put into the planning. The trick is to be fault tolerent and recover quickly. In specific cases better security can be achieved (classified information, etc.) but for the general case it will always come down to dealing with the consequences of antisocial behavior as it happens.

Re:You have to trust something

[starseeker]

beg pardon, that should be "realize its" not "realise it's" - sorry.

Re:You have to trust something

[99BottlesOfBeerInMyF]

At a certain point, networking requires trust in order to realise it's potential benefits... We must rely on community, the most robust tools we can devise, and (finally) building our own web of trust based on things we have found to work. These issues are fundamental to the human condition and (like all social problems) cannot be resolved by technology.

I agree with most of your comment, at least in principal. I think one of the most important ways the industry needs to jump if it is going to make the malware problem a minor inconvenience or a rarity, is to build tools to harness the intelligence and trust of others, be they communities, formal organizations, or commercial enterprises.

OS's need to start relying upon the amount of trust given to a piece of software or network service and restricting them appropriately based upon that level of trust. Channels for "voting" on how much some software or service should be trusted need to be made open and user configurable. And by "voting" I don't mean individual people should be voting on if some software is reliable. I mean the user should be subscribing to intelligence feeds from malware watchdog groups, commercial anti-malware services, OS vendor provided services, and online communities. The end user should be responsible for deciding who they trust and the OS should be responsible for translating that trust into one consolidated policy for restricting the access given to Web sites, applications, network services, etc.

I want to be able to get a random executable in my e-mail inbox, double click on it to run it, and have the OS discover if it is signed, if it is certified, if it matches any malware signatures, and what level of trust it should be given based upon a merge of several different information sources to which I have subscribed. Then I want the OS to automatically apply an ACL to that executable or even run it in a VM, based upon the ACL included in the application (if present) the ACL my OS has specified for that trust level/app type, and the ACL suggestions from said information services. I want all this to happen more or less in the background with me just double clicking it.

I honestly think that until such a system is build into mainstream OS's the malware problem will continue, full speed ahead. The problem with this is only Microsoft is in a position to really do this because of their monopoly and their position as the only real target for current malware. Further, I don't think they are capable of doing it because of the way they are organized. They don't lose enough money when their users are compromised because of their monopoly. Their entire business is built on lock-in instead of quality, so they would almost certainly implement a signing/certifying system that locked user into them, and thus provided mostly useless information since there would be no competition among providers. They have repeatedly shown themselves incapable of taking security seriously and when UI is a vital part of security they have never, ever shipped anything that was not a disaster.

My only real hope for the malware situation to be contained is encroaching OS X on the desktop and encroaching Linux in business that might break their choke hold long enough for someone else to do it right, or for MS to be forced to compete to survive, resulting in a real change in Redmond. Without antitrust laws being enforced, however, it is a long shot.

Re:You have to trust something

[Phroggy]

Virus problems will continue as long as there are people wanting to write viruses, as they are simply an electronic version of spray painting walls, defacing monuments, or other useless and harmful activities that have persisted since the beginnings of civilization. Sure, that used to be the case. Now, I think most viruses are delivery agents for botnet software that can be used to send spam. It's all about the money now, and botnets are where the money is.

Re:You have to trust something

[OriginalArlen]

Virus problems will continue as long as there are people wanting to write viruses, as they are simply an electronic version of spray painting walls, defacing monuments, or other useless and harmful activities that have persisted since the beginnings of civilization A nit-pick with an otherwise interesting comment: very few virus writers are doing it for fame and 1337ness points these days. They're here for the money. Anyone capable of writing an effective virus (and who doesn't mind dealing with full-on criminals) can cash in quite successfully.

Re:You have to trust something

[99BottlesOfBeerInMyF]

nit-pick with an otherwise interesting comment: very few virus writers are doing it for fame and 1337ness points these days. They're here for the money.

Amusingly, the same an be said for graffiti to some degree. More and more graffiti is corporate sponsored advertisements, from Sony or MS or some hip clothing label.

Re:You have to trust something

[14erCleaner]

Virus problems will continue as long as there are people wanting to expand the definition of "virus"

Fixed it for you.

Wont work

[cyberbob2351]

The newly released OfficeScan 8.0 will include endpoint security features that will block access to Web sites that have a reputation as sources for malicious activity.

Considering the fact that the infestation could be due to either a worm infection, or could come about by accessing a webserver that is in actuality a compromised botnet drone, how on earth is such a reputation system supposed to be effective?

Most of your issues will not come from the same sites over and over. The only exception to this is crack and warez sites, but we already have similar reputation systems implemented.

OMG! Viruses of Mass Distruction??

Is a conventional signature-based antivirus technology dead? Trend Micro CEO Eva Chen says no.

If you ask an Oil company whether oil derived fuel engines are dead, they'll answer the same way.

Please tell me that the AV companies don't also own a crazed lunatic world mis-leader!

network service

Point your DNS at $vendor and let them deal with the crap, with the unexpected doubling of volumes overnight (as happened towards the end of last year), etc.

I can't name vendors as I work for one, but Google is your friend.

The main reasons this works better than traditional end-point a/v:

1. the sample size is much bigger than desktop vendors see
2. we can spend a LONG time (compared to trad a/v) running paranoid heuristics against anything we're not sure about. Desktop anti-virus has to be as fast as possible to not spoil the user experience.

Of course this isn't a silver bullet for all malware, but it kills spam virtually stone dead, and cleans a lot of crap from your inbound mail feed.

Incomplete solution

This is the only way to be sure.

It's just too much...

The old barn door begins to give way under the weight of all the locks.

Why reputation-based approaches suck big time

[MikeRT]

All it takes is for a user to get pissed off at your software and mark it down on the list for the ball to get rolling. Same thing applies to spam. I know people who cannot be bothered to unsubscribe from mailing lists. Instead, they just mark it all as spam, not even caring that they signed up for the stuff in the first place!

Re:Why reputation-based approaches suck big time

[Nivoset]

I would say if people signed up for spam its ok. but how do you tell for sure? some places all but hide the fact that you really are, or use criptic wording to make you get it unless you really read it all.

And i know half the unsubscribe links i ever got seemed to be more of links to say "hey, this is a valid email!" than ever stopping the spam. i now just block anything with it in the body

Re:Why reputation-based approaches suck big time

[99BottlesOfBeerInMyF]

Why reputation-based approaches suck big time. All it takes is for a user to get pissed off at your software and mark it down on the list for the ball to get rolling.

Having multiple, competing commercial and free sources for information, preferable with a user definable weighing system, solves that problem. Users who have to deal with incorrect information move to more accurate services, or weigh them more heavily. Capitalist competition can work here, unless MS creates the system, then you will locked in to just their data, which will suck.

Same thing applies to spam. I know people who cannot be bothered to unsubscribe from mailing lists. Instead, they just mark it all as spam, not even caring that they signed up for the stuff in the first place!

This is a usability problem, not an inherent problem with reputation based systems. If it was easier for users to unsubscribe from a list than it was for them to mark something as spam, you'd probably see users accidentally trying to unsubscribe from spam lists and failing. The real issue here is that Webmail providers and customize e-mail client developers have a vested interest in making spam marking easy, but not so much in making mailing lists easy to use and manage.

Reputation does not prevent spread of viruses...

[Dr.+Zowie]

... otherwise there would be no syphilis in the world.

Seriously, there is a pretty direct analogy between (digital epidemiology, computer viruses) and (real epidemiology, real germs). If there were a simple answer to the digital problem, it's a good bet that some population or other would have adopted the analogous strategy to the real epidemiology problem.

STDs offer a good analogy for digital viruses with a Trojan-style (no snickers, please) strategy. In both cases sharing of {data|fluids} yields immediate benefit at some risk. In both cases, populations have adopted reputational strategies to avoid spreading/contracting viruses. In neither case do those strategies work.

Even with near-perfect "antivirus software" (the antibiotic penicillin), the old monsters of syphilis and gonorrhea still remain on the planet, and penicillin-resistant strains have even evolved. One problem is that reputations are hard to establish and not necessarily accurate; another is that most humans tend to discount future risks in favor of immediate benefits.

Interestingly, the reason that the traditional venereal diseases are treated with penicillin injections (and not an oral course) is that, statistically, patients are unlikely to finish the oral course -- a properly completed oral course of penicillin is as effective as the traditional three injections. There is perhaps a lesson to be learned there about how effective corporate data-hygiene strategies are likely to be.

with apologies to Freedy Johnston

[sammy+baby]

What will make this different? If we're not careful, Trend Micro might give us all a bad Web reputation.

(Sung to the tune of "Bad Reputation", by Freedy Johnston)

I know, I've got a bad reputation:
and it isn't just W32/Delbot.
If I could only keep this damn malware
out of my inbox.

I could have had a normal conversation,
if it wasn't for this firewall.
If it deletes zip files with passwords,
then they're worth fuck-all.

Suddenly, my mail gateway is hosed,
malware is being
installed by the truckload,
keeps breaking down.
Can you help me now? Can you help me now?

This is Crazy Making!

[mpapet]

Why, in this day and age, are we having a conversation about anti-virus anything?

Instead of accommodating Microsoft's severely broken security model, now updated with "are you sure you want to do this?" Just flush that windows partition and install your linux distro of choice, or install linux on the PC and give it away, or get a Mac.

No, sysadmins like me won't be doing this at work anytime soon. Ever since I told family and friends who needed computer support I won't fix windows and gave them the option of buying a mac or switching to Linux, I'm having much more fun on my days off.

The extra benefit is I don't have to discover some of the ummm, unusual, tastes-and-preferences in my friends cache.

Re:This is Crazy Making!

[Red+Flayer]

Why, in this day and age, are we having a conversation about anti-virus anything?

Because with mass installations of Linux distros, we'll still be facing the same problems -- just with a different OS. Don't think that Linux has no holes.

The biggest security advantage wrt viruses etc that Linux has now is small market share. If 90 % of the world used Linux, then I'd bet that *Windows* would be effectively (not inherently) more secure than Linux.

I'm sure that Windows is inherently less secure than Linux -- but it wouldn't really matter if it were the Linux holes being exploited by the majority of malware.

Re:This is Crazy Making!

[exp(pi*sqrt(163))]

If 90 % of the world used Linux, then I'd bet that *Windows* would be effectively (not inherently) more secure than Linux.

But that doesn't mean the advice is bad. If 33% of people used Linux, 33% MacOS X and 33% Windows then we'd no longer have an OS monoculture and it'd be harder for viruses to spread than if 95% of machines ran the same OS.

Re:This is Crazy Making!

[Mister+Whirly]

"Ever since I told family and friends who needed computer support I won't fix windows and gave them the option of buying a mac or switching to Linux, I'm having much more fun on my days off."

Walking my family through command line installs of libraries and helping them chmod permissions so they can access the files they saved. I love the fact that all my dumbshit realtives are now running Linux, I mean who needs time off on weekends anyways!!! Now when my mom wants to install a new printer, insead of just plugging it in, now we get a 3 hour long session fighting with generic Gimp drivers and it still won't print 100% correctly. And my parents were really stoked that the thousands of dollars they had spent on Windows software was now mostly worthless! Yep, if there is one thing Grandma really loves digging into it's compiling her own Linux kernel - she really just can't get enough of it! All and all I'd say that an OS designed for geeks who really love tinkering with their systems is working out terrific for the average computer illiterate masses...

Re:This is Crazy Making!

[OriginalArlen]

Unfortunately malware will be with us as long as we have the mark 1 human sitting in front of the keyboard. All the attacker has to do is convince the user to install $evil_binary and boom, game over. If you've got a patch for human stupidity, send code!

Re:This is Crazy Making!

[Red+Flayer]

You're right, but would this change in install base mean that discussing AV is pointless?

AV will always be necessary, and the more it's discussed, the better - particularly when it needs to adapt to changing malware techniques.

Re:This is Crazy Making!

[99BottlesOfBeerInMyF]

Because with mass installations of Linux distros, we'll still be facing the same problems -- just with a different OS. Don't think that Linux has no holes. The biggest security advantage wrt viruses etc that Linux has now is small market share. If 90 % of the world used Linux, then I'd bet that *Windows* would be effectively (not inherently) more secure than Linux.

I think you're dead wrong on all points. Sure Linux benefits from having a small market share, but that is not the main factor. The biggest problem with Windows security is that MS has a monopoly on desktop OS's. As such, MS has no real motivation to respond to and solve users' security problems. When a user's Windows box gets infected, they don't look at other options because every computer in the store is running Windows. If somehow the user finds out about Linux, the chances are they still have to buy a copy of Windows to get their hardware and that means MS got paid. If MS lost customers and hence money because of the malware problem, they would solve it.

Linux, even if it had 90% of the market, would never wield monopoly influence in the market because of the licensing. If there was one Linux distro with all that share and malware on Linux got terrible and the developers ignored the problem, someone would fork it and solve the problem and nothing would stop users from moving to the new, secure distro because it is free and the software still works and there is no lock-in.

I'm sure that Windows is inherently less secure than Linux -- but it wouldn't really matter if it were the Linux holes being exploited by the majority of malware.

It would matter a great deal because Linux would adapt to solve the problem by adding layers of security and granularity of security and new services and technologies. Signing, certification services and blacklists, MACLs, active scanning, whatever it takes Linux developers would do it because those developers have a direct financial interest in securing the boxes. MS has no such financial incentive. The idea is called a capitalist free market, which brings competition and innovation. The base problem with Windows security is not their design principals, it is that they have broken capitalism with a monopoly and like the former soviet union, the consumers are suffering for it.

Re:This is Crazy Making!

[drsmithy]

It would matter a great deal because Linux would adapt to solve the problem by adding layers of security and granularity of security and new services and technologies. Signing, certification services and blacklists, MACLs, active scanning, whatever it takes Linux developers would do it because those developers have a direct financial interest in securing the boxes. MS has no such financial incentive.

Your theory does not align with reality.

(If it did we'd still all be using DOS and Windows 3.1, Windows 95 at best.)

The theory that Microsoft have no financial incentive to improve Windows, and that the [implied small number of] changes in Windows reflects that, doesn't even pass the laugh test when you compare it actual events.

Re:This is Crazy Making!

(If it did we'd still all be using DOS and Windows 3.1, Windows 95 at best.)

The theory that Microsoft have no financial incentive to improve Windows, and that the [implied small number of] changes in Windows reflects that, doesn't even pass the laugh test when you compare it actual events.

Where do I go buy a Dual Core x86-64 system running DOS or Windows 95?

His point still stands, people get Windows XP^H^H Vista because it comes with the computer. Not because of any improvements (heck, I have still to see any improvements over Win98SE - that one worked pretty good. Ok, XP is getting close on stability, but still has its slowdowns).

Re:This is Crazy Making!

Your post is silly on so many levels I don't know where to start.

> Walking my family through command line installs of libraries

If you have to do that I blame (presumably) You for a dumb-ass installation in the first place. Unless you uncheck deliberately a bunch of lib's during setup you should never have to worry much about it.

> helping them chmod permissions so they can access the files they saved.

If they saved files themselves, then the files have their own user permissions. Can't be any other way. So what are you talking about?

> Now when my mom wants to install a new printer,
> instead of just plugging it in, now we get a 3 hour
> long session fighting with generic Gimp drivers and
> it still won't print 100% correctly.

Never had issues with CUPS on any printer. Maybe if you're spending all that time supporting them as you proclaim you do, perhaps you could assist them in getting a printer, that's not made by Disney or Taco Bell and get one of the thousands that work by plugging in, pick from CUPS list and print!

> And my parents were really stoked that the thousands of dollars
> they had spent on Windows software was now mostly worthless!

Ever heard of a dual-boot? Besides, if they invested that much and Windows does what they want and/or need why are they running Linux??

> Yep, if there is one thing Grandma really loves digging
> into it's compiling her own Linux kernel
> - she really just can't get enough of it!

Why would she need to do that? Me thinks, you never ran Linux in your life for yourself or other people, so please stfu.

AV are Dead

[smist08]

I stopped realtime scanning when I realized that over 50% of my CPU was going to scanning virus's. Now that it is turned off, things run much faster. E-mail seems to be the main source of virus's, but most email servers scan for virus's so doing a local realtime scan is just a waste of time. Otherwise just avoid memory keys, and disks which is fairly easy. I find Spyware a bigger problem than virus's but just running Spybot every now and then to clean off things installed by other software like webcams seems good enough. Certainly my PC runs much faster and more reliably with AV turned off. Still do a system scan now and then, but haven't found a virus in like five years.

Re:AV are Dead

[MontyApollo]

I haven't detected a virus on my home computer in over 5 years as well. McAfee has become so bloated, I'm trying to decide whether to just remove it totally or just keep it turned off except for the occasional scan. It also seemed like in the past it was a lot easier to disable McAfee temporarily (right clicking the icon in the quick start toolbar), while now it is a lot more trouble to toggle it on or off.

Re:AV are Dead

It's viruses, not virus's.

SiteAdvisor

[Strilanc]

Wow, this is the same thing as Site Advisor; except it doesn't warn you about bad websites, it just tells you to fuck off. How hard could it be to modify the site advisor extension to do that?

Re:This is why reliance on AV software is dangerou

[saddlark]

Two times, I've observed that the opensource AV software ClamAV nailed new email virii
about 6 and 12 hours before the commercial alternatives got signatures for them (3-4 examples, names left out to protect the guilty).

Of course, this doesn't always happen, but it's still an interesting observation.

Trend Micro?

[Skythe]

Queue PC-cillin bashing.

A more naive self once had it as virus protection several years ago.
Ended up causing a multitude of problems that it shouldn't have.

Re:Reputation does not prevent spread of viruses..

[xtracto]

And here is where you think that if people would not take care of their own bodies how could you expect for them to care about a darn computer...

As you said, the main issue is the "immediate benefits." whereas it is a nice orgasm, or winning the Nigerian lottery or anything else, lots of people do not know the risks, and lots of people do not care about the risks even if they know them.

Signature-Less Anti Virus

At http://www.calyptix.com/ we have a lot of success with our signature less inspection engine, DyVax. This includes stopping the Storm Trojan and Nuwar malware hours before the big vendors saw samples on their honeypots. Reliance on signatures creates costly downtime, we are trying to eliminate that.

Re:Signature-Less Anti Virus

quit spamming slashdot. Are you telling me that you are able to stop Trojans that use packing methods based on NP-complete problem?

Re:This is why reliance on AV software is dangerou

[justasecond]

Two times, I've observed that the opensource AV software ClamAV nailed new email virii about 6 and 12 hours before the commercial alternatives got signatures for them (3-4 examples, names left out to protect the guilty).

So for every new virus but two the commercial alternatives got their signatures updated quicker? Guess I know which I'd choose...

Re:This is why reliance on AV software is dangerou

> virii

I just though you should know that no one on either side of the virus industry calls them "virii", only poseur faux-intellectuals.

Your assumptions are not 100% correct

[winkydink]

The reason that Trend Micro's "new" approach will fail is ... rather long. Follow along for a moment.

a. Vulnerability is found and exploit is written.
b. Exploit needs to be distributed.
c. Exploit is distributed via a quick spam flood - they have no protection against this.

Actually, they do. That's part of why the approach is novel.

d. Exploit is posted on a web site - how do the bad people drive traffic to that site?
e. They use a compromised site. They hide the exploit in a directory that robots.txt says not to scan. Either Trend Micro violated robots.txt or it cannot find the exploit.
f. So Trend Micro will have to violate robots.txt and that behaviour should be noticeable. So the bad guys would hide that file from something that looks like a webcrawler that doesn't respect robots.txt.


Actually, they can do this without scanning directories forbidden by robots.txt. Again, it's why the approach is novel.

Sorry, I can't say more as I'm under NDA. I'm sure the details will emerge soon.

Right. Because Linux is perfect...

[msimm]

Sys admins like *me* prefer variety and get a little tired of the messiah complex some people have regarding religious OS of [choice].

Blaming Windows on security problems cart-blanc seems pretty ridiculous (they get credit, but all the credit?). Especially right before jabbing them for improving it a little (it's annoying, but *as* a systems admin I'm sure you know the security/usability trade-off).

Do you think because Linux distro's do things slightly differently that with mainstream adoption they would have such an easier time or simply become a more mainstream target? Sounds kind a cavalier to me. *If* Linux picked up steam or Windows suddenly ceased to be, whatever replaced it would be the new focus of script kiddies and security experts. I'd probably move straight to OpenBSD or Solaris. But until that happens (I don't see why it would) I certainly won't start trying to strong-arm my friends and family into using *my* operating system of choice. I'd rather have them follow a few basic security measures that they can take with them across operating systems (say, like how AV products are good and keeping them up-to-date can help or using anti-adware software...).

But if you're friends/family like being brow-beat, what the hell. I should try that here at the office (of course the CEO would probably get cranky, but hey, it's Monday!).

Re:Right. Because Linux is perfect...

[mpapet]

o you think because Linux distro's do things slightly differently

The security models are _not_ comparable. At all. Yes, Microsoft is trying to emulate unix-ish security model on the surface, below that the whole Microsoft security objects model is a complicated mess that culminates in "Are you sure you want to do this?"

Blaming Windows on security problems cart-blanc seems pretty ridiculous (they get credit, but all the credit?).
While they are running on 98% of all PC's yes, I give them all the credit.

I certainly won't start trying to strong-arm my friends and family
This statement is an attempt to marginalize a different choice in operating systems. Please examine your motives carefully and get back to me when you and I are in the same room talking to my friends and family.

I'd rather have them follow a few basic security measures
Yes, and Windows is still broadcasting (!) open ports, users run as administrator, and zero-day attacks remain a very low priority for Microsoft while Windows Media Player DRM patching is a high priority. End result: they still get malware.

Windows is a broken user security model. I encourage you to expand your horizon.

Re:Right. Because Linux is perfect...

[99BottlesOfBeerInMyF]

Blaming Windows on security problems cart-blanc seems pretty ridiculous...

I disagree. Almost all major or widespread security problems are the result of Windows and their domination of the market and the fact that because of their monopoly they have no financial incentive to fix the problem, while they are the only ones in the position to do so.

...but *as* a systems admin I'm sure you know the security/usability trade-off...

As a person with extensive experience in both usability and security, I call BS on this. The idea that usability and security are inherently opposed is tripe. Security is making sure the computer only does what the user wants and not what someone else wants. Usability is enabling the user to easily do what they want and not do things they don't want. Usability and security are complementary. Some security measures decrease usability, especially notably broken and ineffective security measures. Many technological decisions are made that decrease usability under the assumption that they will increase security, but objective analysis usually shows this is not true. You have to take the user and interface into consideration when planning security or you're just taking measures to shift the blame instead of increase real security.

I'm tired to death of hearing this tired old false assumption trotted out again and again. A huge part of MS's security problem right now is that they've ignored the user interface component of it. "OK/Cancel" dialogue boxes that operant condition people to click "OK" reflexively is not a good security design and decreases real security because it is not usable.

Do you think because Linux distro's do things slightly differently that with mainstream adoption they would have such an easier time or simply become a more mainstream target?

If Linux had 60% market share for home users tomorrow, in a month malware on Linux would be almost as bad as it is on Windows now... but 6 months later the problem would be all but eradicated as Linux developers implemented new security measures to counter the problem and Linux would hold its own in the arms race that would ensue. This is because of the licensing of Linux. Linux will never wield monopoly influence in the market because it can always fork and lock-in is almost impossible with GNU licensed code. That means while right now MS has little or no financial incentive to fix the malware problem (Windows users generally can't/don't switch or even know there are other options when exploited), Linux developers would always have that incentive because the users are the developers and they are always going to be competing with other distributions.

I certainly won't start trying to strong-arm my friends and family into using *my* operating system of choice. I'd rather have them follow a few basic security measures that they can take with them across operating systems

I agree you can't solve this problem from the bottom up. The root problem that needs to be solved is that the desktop OS market is monopolized and thus there is no competition for our money and no innovation and responsiveness to customers' needs because of that competition. Solving the malware problem is fairly simple. Break MS into multiple companies each with full rights to Windows and forbid them from having any unmonitored communication. They'll fight tooth and nail to make Windows secure fastest and best and Linux and other OS's will be right there fighting it out with them. That is how users will win and OS's will win the fight against malware in general.

Re:Right. Because Linux is perfect...

[Foolhardy]

You're confusing OS security design with user interfaces, install defaults, user habits and suspected company policies.

The Windows NT (which all Windows versions since XP are derived from) security model is comprehensive, powerful and granular. The biggest flaw it could be said to have is that it is too much of the above, and so too complicated. Every possibly sensitive object has a security descriptor which includes an ACL. Every process has a token which identifies its authority. I invite you to find a flaw in the actual OS security model.

Vista does indeed have an annoying policy of asking users to confirm each privileged action, thereby allowing them to be a privileged user without giving carte blanche to their processes. This is mostly a UI change, not a deep system change: it's a way for an unprivileged process to ask the user to bless a new process with greater privileges when the original process didn't have enough to do what it wanted to. The standard UNIX model of unprivileged users + full privilege admins has always existed on NT; UAC is simply a more convenient interface to sudo.

The past install and OEM default of creating only a single, full privilege user to be used for normal work does indeed suck for security. It is not, however, a required mode in any way. It has always been possible to log on as a safe unprivileged user for normal work. If the user and the OEM doesn't know better, and software developers have no concept of least privilege, then its their fault, not the OS's. Would you blame Linux or Ubuntu if Dell decided on a fork of Ubuntu that logged the user on as root silently by default and shipped software with the system that required root when it shouldn't?

About Microsoft's alleged priority of patching of WMP DRM failures faster than zero-day attacks, I'd like to see some evidence of that. The biggest worms all had patches released for them long before they infected computers. Besides, WMP and the core OS developers are in entirely different groups; you can't just transfer resources from one department to another in a big company like MS. IOW, it's an artifact of corporate bureaucracy, (not malicious intent or negligence) at best.

Yes, and Windows is still broadcasting (!) open ports [...]

What does mean, exactly? Have you read one too many "Your computer is broadcasting an IP address!!!!11" ads?

Windows is a broken user security model.

How, exactly?

Re:Right. Because Linux is perfect...

[drsmithy]

I disagree. Almost all major or widespread security problems are the result of Windows and their domination of the market and the fact that because of their monopoly they have no financial incentive to fix the problem, while they are the only ones in the position to do so.

Almost all the widespread security problems on Windows can be narrowed down to end users doing the wrong thing.

As a person with extensive experience in both usability and security, I call BS on this. The idea that usability and security are inherently opposed is tripe. Security is making sure the computer only does what the user wants and not what someone else wants. Usability is enabling the user to easily do what they want and not do things they don't want. Usability and security are complementary. Some security measures decrease usability, especially notably broken and ineffective security measures. Many technological decisions are made that decrease usability under the assumption that they will increase security, but objective analysis usually shows this is not true. You have to take the user and interface into consideration when planning security or you're just taking measures to shift the blame instead of increase real security.

Security and usability are inversely related. Every single security measure you can think of - from having to enter a password to log in, through confirming potentially dangerous actions, to permissions restrictions - negatively impact usability in some way.

You will probably make some ridiculouly broad and circular argument that "a more secure systme is more usable because it is more secure", but that doesn't change the fact that all those individual processes that occur get in the way, at some level, of what the user is trying to do.

If Linux had 60% market share for home users tomorrow, in a month malware on Linux would be almost as bad as it is on Windows now... but 6 months later the problem would be all but eradicated as Linux developers implemented new security measures to counter the problem and Linux would hold its own in the arms race that would ensue.

Thousands of years of human society hasn't closed the biggest security hole in every system - its users - and you think "Linux" will manage to do it in 6 months ?

So long as computers remain general purpose machines for running arbitrary code, they cannot be secured.

Re:Reputation does not prevent spread of viruses..

[winkydink]

Is your desire to surf the web as great as your sex drive? Your analogy is deeply flawed.

Effort going in the wrong places

[Animats]

If all the effort spent on security approaches we know won't work, like looking for known attacks, were spent on approaches that can work, like fixing operating systems and applications so external content runs in jails that work, and developing reliable means for sanitizing content, we'd be much further along.

Think about it. Symantec is a billion dollar company selling a product that barely works. Nobody is spending that kind of money making operating systems more secure.

The problem with all this so-called "virus security" is that it's aimed against bulk attacks that are mostly annoyances. It won't detect focused attacks aimed at a business or government site intended to steal serious money or information.

Military security people are trained to make that distinction. Some effort has to be devoted to chasing off kids throwing rocks over the fence, but they're not a real threat. The real threats are subtle, until it's too late. The commercial computer security industry does not get this at all, and doesn't want to.

Re:Effort going in the wrong places

[OriginalArlen]

Think about it. Symantec is a billion dollar company selling a product that barely works. Nobody is spending that kind of money making operating systems more secure. Now far be it from me to defend the great satan, but to be fair Microsoft have spent a lot more than that on improving security since Bill "got it" and sent his memo back in, what was it, 2003? They still haven't trained themselves to make the right call when it comes to usability vs functionality (see UAC, and so on and on) but Vista is a lot more secure out of the box than XP SP2 - which itself was an improvment over 2000. (Which, admittedly, was worse than NT4 which was worse than 3.51, but that's beside the point.)

It probably won't show up in the botnet stats even once Vista is ubiquitous, though, as you still have to allow the user to install arbitrary binaries, which means the attacker just has to fool them. And they've had a lot of practice with that over the last few years. There IS no technical solution to this, unless you completely close the ecosystem - prevent the user installing arbitrary executables, shut down the internet as we know it -- or find an infalliable on-demand method of deducing what a given program is going to do; and if you've got a solution to the halting problem, I'm sure we'd ALL like to hear it ;)

Re:Effort going in the wrong places

[99BottlesOfBeerInMyF]

Think about it. Symantec is a billion dollar company selling a product that barely works. Nobody is spending that kind of money making operating systems more secure.

Symantec is a billion dollar company spending money to make money. MS has not such motivation to fix their OS since if it is insecure, people have to buy it anyway... it is the only thing in Walmart or K-mart or 90% of all stores.

The real threats are subtle, until it's too late. The commercial computer security industry does not get this at all, and doesn't want to.

The commercial "security" industry has given up Windows as a lost cause. No credible security person who wants a secure server or workstation considers Windows a viable option. There is plenty of work being done on real security, like SELinux based solutions. The problem is you're looking at the "fixing the worst of Windows insecurity" market instead of the security market.

GEEK SQUAD WOO HOO!!

[Danzigism]

I'm personally sick and tired of these retarded Geek Squad bastards installing Norton or Mcafee on these horrible Hewletts with 256mb of RAM attempting to run XP.. Old people have no freakin' clue what to do or what they're buying, so it ends up ruining their computers even more than what they already are..

AV should seriously die a horrible death in my opinion because there's always going to be the need for bigger and better security, and the low-end computers that everyone buys because they're $300 at Walmart, aren't going to be able to handle it.. leave it up to the operating system to be secure, and leave it up to the computer experts to remove bad viruses if and when they do come around.. face it, when is the last time your AV software actually got rid of bad virus? the only program that even comes close to operating correctly without hogging up tons and tons worth of precious resources is Panda AV anyway..

People that have a decent expert opinion with computers typically don't even use AV software.. and if you do, you must be one lazy bastard and don't care how fast your system operates.. you should be using hijackthis, autoruns, killbox, and some of the other nifty utilities out there..

I will say that I've been a little impressed with Vista's CPU prioritization of certain tasks.. Maybe if they make new AV software that operates similarly to the way Vista indexes, and can scan your computer all the time using a lower CPU priority, then I think it will be more worth while for the regular user..

as for now, customers rather pay me $40 in-shop labor for removing all the horrible spyware and viruses from their computers every few months, than have to deal with slow computers running AV software and having them prompt them every 10 seconds regarding something they don't even understand..

Re:GEEK SQUAD WOO HOO!!

[DragonTHC]

People that have a decent expert opinion with computers typically don't even use AV software.. and if you do, you must be one lazy bastard and don't care how fast your system operates.. You sir, are a moron.

Only a moron doesn't run AV software.

a simple utility will not block a nasty virus which uses an exploit in your operating system to propagate.

You can't stop it alone. We all know you're not sitting in your mom's basement writing your own windows patches.

Use kaspersky or avira

Re:GEEK SQUAD WOO HOO!!

[deathjestr]

> AV should seriously die a horrible death...

Definitely.

> People that have a decent expert opinion with computers typically don't even use AV software..

I'm a programmer. I haven't had any sort of AV software installed on my computer for at least 5 years, and in that time I have had no virus problems whatsoever. I suppose someone could argue that I might have a virus and I just don't know it, but if that's the case then I'd probably prefer having the virus to having AV software that cripples the system and forces me to buy new hardware every 2 years.

Re:GEEK SQUAD WOO HOO!!

You sir, are a moron.

Only a moron doesn't run AV software.

Must be a lot of morons working as programmers, admins, IT security, etc, then. I haven't had any AV software for a couple of years either. And should I get a virus, too bad. A reinstall still takes less time than what I would have wasted on slowdowns and crashes caused by McAfee. But so far, no virus has been able to cause any problems whatsoever. Even the ones they are talking about on TV, that end up in by inbox just get archived in my virus folder. So far that folder contains 19 unique viruses, or 29 if you count variants (I have 5 variants of netsky alone).

So far, from a wasted time point of view, AV programs are the malware, and viruses are pretty harmless. In my situation, running AV software would be the moronic choice.

Re:GEEK SQUAD WOO HOO!!

[Danzigism]

you seem to have mistunderstood everything I said.. experts typically can tell right away when their system is acting funky as if a virus was installed.. I would seriously try using those utilities because they actually do much more than any AV software I've ever seen.. To me, it is very like a moron to depend completely on AV software.. It simply doesn't work!! Every week I fix atleast 10-20 people's computers in my little redneck town of Maryland.. Every one of them has some type of AV software.. And waddya know, every one of them still gets infected with viruses! It's not that the AV software is dumb and pointless, it's simply impossible to keep up with all the new software exploitation that comes out on a daily basis.. Atleast with the proper tools, you can look at the important areas of the machine like the Startup, Registry, and Browser settings, to tell what is seriously fucked up.. I'm not going to recommend that my customers stop using AV software together, because it IS important for the Noobs, like yourself, but it is very low priority for me, and I'll continue to never use the shit and have it waste my fucking time and resources when I can just as easily figure it out by myself..

Web Surfing and Sex Drive

[Slashdot+Parent]

Is your desire to surf the web as great as your sex drive?

Isn't the average slashdotter's drive to surf the web little more than the slashdotter's sex drive, itself?

yes you're dead on

[gelfling]

Screw AV it's dead end. Take all that time and resource and brainpower and focus on making the OS stronger and hackproof. Windows has become a titanium armored soldier with seriously bad heart disease. Making the armor stronger isn't going to help anything in the end.

Re:yes you're dead on

[99BottlesOfBeerInMyF]

Screw AV it's dead end. Take all that time and resource and brainpower and focus on making the OS stronger and hackproof.

There are two items to address with your comment. First, only MS can secure the OS and they have little incentive. Lots of commercial companies have a financial interest in solving the malware problem, but they cannot fix the core of the OS as you propose. To solve this, we need to fix the broken, monopolized desktop OS market.

Second, I don't think AV services are a dead end. Rather, I see subscriptions to information feeds about software, both blacklists and whitelists and more advanced variations thereof, as a vital role in a truly secure OS. No one has the time to test all the software they run and see if it is well behaved. No one has the time to audit all the code they will run, even if it is open source. There is definitely a place for selling the service of investigating software and telling end users how trustworthy it is and what it should be doing and how it should be restricted by the OS and signing and certifying it. There is also a place for selling this same service as applied to Web sites, network hosts, and online services in general.

The trick is, for such services to be truly effective there must be a competitive marketplace so the data is useful (MS is undermining this now with Defender) and it must integrate sensibly with the OS such that the OS can act directly on the information provided (which requires either MS starts to care or MS is ousted).

Re:yes you're dead on

[Tim+C]

focus on making the OS stronger and hackproof

Imagine that I am a user with the admin password and a pressing need to download and install CometWeatherBonziCursorBuddyBug. Please explain to me how the OS can prevent me from infecting it with the virus and/or trojan that came along with the installer.

I get a lot of spam - and by "a lot", I mean a couple of thousand items a day. A small proportion have viruses attached. Some of these viruses are .pif files, some are .scr (screensaver, but essentially any old exe), some are zipped. I have even seen *password protected* zip files that contain a virus. Despite this, I still get them, which implies that someone has received an email claiming to have a document for them to read, or a patch for them to install, or whatever, and have run the attached file. Some have even opened a zip file, typed in a password, and run the file within.

Explain to me exactly what the OS can do to protect itself from someone with admin access who is so careless of their actions. (Removing admin access is not an option, they have to be able to install software and apply updates as no-one else is going to do it for them)

Re:yes you're dead on

[gelfling]

No in terms of a client only solution it's a dead end. Any of you are relying whether you recognize it or not on, a desktop firewall, an AV scanner, a spyware scanner, a local router, an ISP that scans 'something' or maybe a corporate LAN with its own perimeter and/or email protection. The fact that you are not egregiously harmed on any one day is indicative of all the other work and horsepower that goes on behind the scenes.

And in case no one's been noticing, scheduled batch scans of AV or spyware tools nowadays are becoming EXTREMELY long. Avast running an 'average' scan on a 17GB partition takes about 25 minutes give or take. Spybot takes 9-11 minutes on the same partition (60,000+ checks) The writing is on the wall - eventually these bulk approach tools are either going to take too much time or take much heuristic horsepower. Better we all convert to a BSD or *Nix core before it's too late. At least we'll have a few years head start.

Re:yes you're dead on

[99BottlesOfBeerInMyF]

No in terms of a client only solution it's a dead end. Any of you are relying whether you recognize it or not on, a desktop firewall, an AV scanner, a spyware scanner, a local router, an ISP that scans 'something' or maybe a corporate LAN with its own perimeter and/or email protection. The fact that you are not egregiously harmed on any one day is indicative of all the other work and horsepower that goes on behind the scenes.

I agree that it is not the only place efforts should be focused, ideally, but neither is it something we should abandon. In future I still suspect there will be honeypots and honeynets and large scale scans, but the main use of AV type services will be when a client runs an executable. After all, that is the only time it can really do any damage. A quick check of just that executable against the blacklists and whitelists and whitelists with accompanying restrictions, certification, and recommendations. That is not too resource intensive.

Avast running an 'average' scan on a 17GB partition takes about 25 minutes give or take. Spybot takes 9-11 minutes on the same partition (60,000+ checks) The writing is on the wall - eventually these bulk approach tools are either going to take too much time or take much heuristic horsepower.

That is because you're scanning all your data periodically instead of checking your executable when you run it. This is mostly because OS's do not have built in support for the latter, but there is no reason why they should not.

Better we all convert to a BSD or *Nix core before it's too late. At least we'll have a few years head start.

BSD and *Nix are a bit ahead right now, but more important in my opinion is simply to move away from a monopolization of the market so OS development becomes competitive, innovative, and responsive. The WinNT core is a fine basis for such a system, if the market was not monopolized and the players had a real financial interest in competing to solve the problem.

Re:yes you're dead on

[drsmithy]

Screw AV it's dead end. Take all that time and resource and brainpower and focus on making the OS stronger and hackproof. Windows has become a titanium armored soldier with seriously bad heart disease. Making the armor stronger isn't going to help anything in the end.

AV isn't there to stop stuff getting past the armor, it's there to stop stuff that has gotten past the armor. It's an integral (and inescapable, assuming you want computers to remain general-purpose machines) part of a properly configured, layered security system.

Re:yes you're dead on

[Animats]

The problem is the whole concept of "admin access". What's needed is more mandatory security. Something like this, which is what NSA calls "mandatory security".

Every file, program, etc. has a "security level" and "security compartments", and "integrity level" and "integrity compartments". Information can only flow into (not out of) a security compartment, upward in security level, and downward in integrity level, unless it's passed through a trusted program that "sanitizes" it.

Browsers should be divided into several parts. One part talks to the user and launches page displayers. Page displayers run at integrity level "outside world", integrity compartments "none", as does the window and network connection they are given. So they can't do much. You can download and run anything you want in that jail, but it can't affect anything outside the compartment.

The user interface part of the browser (commands, toolbars, etc.) runs at integrity level "browser", above "outside world", but below anything important, and in compartment (say) "Firefox".

So if you download a toolbar, it comes in at "outside world". The user interface part of the browser can't run it, unless an "upgrader" passes it. Even if some toolbar is imported into the "Firefox" compartment, it can only affect "Firefox" stuff. It can't install something that runs outside the browser compartment.

This is what the NSA Secure Linux people had in mind, but it never caught on. The applications weren't modified to work under such severe restrictions.

The key idea here is that untrusted software is compartmented, and trusted software is rare and, most importantly, tiny. The compartmentalization means that you can look at a hostile file with an untrusted program, like Microsoft Word, but it can't mess up anything at a higher level or in another compartment. If you want to get the data out of that compartment, you have to run it through an upgrader. (A good way to upgrade a .doc file would be to convert the .doc file to .odf with untrusted software like OpenOffice, then run that through a small trusted program that parsed the XML, throwing out any tags that didn't belong). The only trusted component here is the XML filter.

Mail can be processed similarly, first converting to some easily checked format, then running it through a dumb checker. Note that the converter doesn't have to be trusted, so attacking the converter may be possible, but won't cause a serious problem. This avoids a problem we have today - complex security software running at too high a level, and thus becoming a problem in itself. Even the security software has to be partitioned.

Note that there's no problem running games. Games can run at "outside world" level in the "World of Warcraft" compartment. Games can have their own local files, but those files are in the game's compartment and can't be read from outside it.

There are costs. Incoming images might have to undergo JPEG to PNG conversion, then pass through a PNG validity checker, for example. There are things you can't do, and there are things that become harder. But real security is quite possible.

Logical Fallacy

[mpapet]

The biggest security advantage wrt viruses etc that Linux has now is small market share.

Wrong.

Windows security model and the *nix security model is a false analogy. In no way are they comparable.

Instead of making false analogies, why don't you install a Linux distro and discover all of the benefits of running a sensibly designed, though hardly perfect, OS. Yes, you trade anti-virus subscriptions, anti-spyware software and Microsoft treating you like a criminal with their WGA software for some hardware incompatibility.

Overall, you get to concentrate much more on using rather than taking care of the PC.

Re:Logical Fallacy

[Red+Flayer]

Are you claiming that the Linux security model is unbreachable and, if adopted by everyone, will obviate the both need for AV and the need for discussions about AV?

As much as Linux's security model is better than Windows', the need for AV will never disappear.

Analogy? Where is there an analogy? There is simply a comparison, which is something completely different.

Do they compare equitably? No, as I state in my OP, which you simply ignored.

Does market share, and therefore targeting of malware affect total harm from malware? You bet.

Is it safe to assume that more malware would be written to target Linux if Linux had a much greater marketshare? Yes, since there would be a greater financial incentive to do so.

So we still end up with a situation where AV is necessary, and discussion of AV is necessary.

Please think about this. Changing over to Linux does not remove the necessity of thinking about security -- that is a very dangerous step to take.

Re:Logical Fallacy

[drsmithy]

Windows security model and the *nix security model is a false analogy. In no way are they comparable.

True enough. From a technology perspective, the Windows security model is superior in pretty much every measurable way.

However, the important point is this: viruses very rarely exploit holes in either the security model or even bugs in the software. The most prominent vector for virus infection is the end user.

So long as people can run arbitrary software on their computers, the "virus problem" will exist.

Re:Logical Fallacy

True enough. From a technology perspective, the Windows security model is superior in pretty much every measurable way.

That would be the "security model" that is so complicated that even Microsoft themselves can't make a simple game that works without administrator privileges?

The major problem with ACLs compared to unix-style permissions is that ACLs are so complicated that only hardcore VMS admins use them. Heck, Linux has supported both for a while, and people are still using the well thought out permission system. Windows only has ACLs, so people are still using the Windows 9x security model.

But perhaps you don't count "usable" as a measurable way?

ACLs are great in theory, but in the real world they fail big time, by being too complicated.

Re:Logical Fallacy

> As much as Linux's security model is better than Windows',
> the need for AV will never disappear.

Actually I install a Linux version of AV software (F-Prot and ClamAV) as a matter of course on my Linux partitions. First they are able to sniff out Linux-specific nasties (not so much viruses in the Windows-sense of the word, but evil shell/backdoor scripts, trojans, flooders etc.) and second I can use them to run over my Windows partitions. Too bad NTFS write support is still not there...

Japan

[minus_273]

Last i checked AV software was doing fine in Japan. Just look at the H game section..

Re:Japan

[neminem]

Nah, most of the best audiovisual software is free, anyway. Why use anything else, when VLC does everything right? ;)

Simplifiction..

[msimm]

So you think your family/friends would go from using Windows with no security to using Linux better? Because Linux distros install no unneeded services by default? And of course your computer challenged friends will then be sure to apt-get update/yum update/etc and they'll check their crontab to be sure freshclam is running nightly.

You can get all pissy with me if you want. My horizons won't be hurt. I work with what you advocate every day. I just don't particularly care for that unrealistly cavalier attitude. It reminds me of myself when Linux was new to me. After 8 or 9 years Linux is good, but things don't seem so black and white anymore.

an attempt to marginalize a different choice in operating systems.

Sure. Because I hate Linux/Mac/Solaris/BSD...oh snap! I don't. My motives are simple: let people work on whatever they find productive. Maybe I don't mind helping the friend/family member as much? (wasn't that your motive?)

Basic security is still your best bet. But you can argue with me all you like.

So you monopoly is the main problem...

[msimm]

I'd go with that. But the problem I have here is the simple fact that *this* is the current reality. The previous poster seemed to believe that forcing people not to use Windows/Vista was the solution. But people are using it and will continue to.

You are probably correct to assume there would be a different response to security if it was in the hands of the larger community. But things can get thorny there too. Q&A (which slows down the release cycle). Project forking. Compatibility. Right now Linux is good, but it's hard to know what the mainstreaming (if Linux was ready) of Linux would result in. Dumbing down? Certainly. Some concessions to security for convenience? Likely.

I agree the 1-1 security/usability argument is lame. I wasn't exactly trying to say that though. It's just a broad rule of thumb.

As a Linux user I'm accustomed to logging in as an unprivileged user and performing upgrades/configuration/installation via sudo or su. But I'm not your average user. My friends and family are. Linux mostly follows a what? 20 or 30 year old security model? I just don't like people banging on something when the problem is almost *always* more complicated then they want to make it out to be. If we saw widespread Linux adoption *today* the most interesting thing about it would not be how it is, but how it would adapt. Because honestly for that kind of use, Linux and the existing security model isn't good enough either.

On the server? Sure. With a reasonably technical person? No problem. But locking down a system *still* requires you know more about the software then most people should care to (default services/software patching/configuration/basic use).

Anyway, I'm not saying I don't care or that I think everything's fine as it is. I'd love to see things improve. I just think it's kind of childish to say A is better then B. A has qualities and B has qualities. But I especially hate dogmatic arguments. It accomplishes nothing believing without questioning (which I'm not accusing you of doing). The previous posters hard-line approach is unrealistic and frankly, lazy. I can lock down a Windows system with *almost* as good results as a Linux system. More importantly, I can treat my users with respect and help them have the best possible experience even under somewhat adverse circumstances. How frequently do you think my XP system has been compromised? Or yours for that matter?

Re:So you monopoly is the main problem...

[99BottlesOfBeerInMyF]

But the problem I have here is the simple fact that *this* is the current reality.

There are avenues for change. One is the courts acting to stop MS and fix the market. Another is MS's monopoly eroding as Linux takes the business world and/or OS X grabs a big chunk of the home user market. We shall see.

You are probably correct to assume there would be a different response to security if it was in the hands of the larger community. But things can get thorny there too. Q&A (which slows down the release cycle). Project forking. Compatibility. Right now Linux is good, but it's hard to know what the mainstreaming (if Linux was ready) of Linux would result in. Dumbing down? Certainly. Some concessions to security for convenience? Likely.

I have a lot of faith in the power of greed. If Linux were in use by everyone, it would fork in a hundred directions and companies would be investing in it in order to get their slice of the money people pay for a computer system and accompanying services. The thing is, all the forks and companies would be striving to outdo one another and give users what they wanted, be it security or usability or both and good solutions would emerge because somebody would be making big bucks if they got it to work.

Linux mostly follows a what? 20 or 30 year old security model?

That's just the thing. "Linux" is a broad category. Some Linux distros, maybe even most have pretty antiquated security models, but some are cutting edge. If malware exploded on Linux causing a problem for users, guess what all the distro maintainers would be focusing their efforts on. Whether they are paid corporate developers or a hobbyist they have an interest in making their box secure, and they'd pull in some really cool, but mostly unused tech to do it.

If we saw widespread Linux adoption *today* the most interesting thing about it would not be how it is, but how it would adapt. Because honestly for that kind of use, Linux and the existing security model isn't good enough either.

We'd probably see the cutting edge stuff move to the mainstream. That means trust levels, certificates in repositories, MACLs, active scanning and a lot more tech you only see today at the NSA or some other security minded location. And none of this is necessarily going to decrease usability. Much of it makes things easier on the average user than Windows does today. Double clicking an executable on Windows today, might mean my computer is turned into a spam bot. That is not usable. If instead my OS in the background checked it against a malware list and a whitelist and restricted it in a sandbox by default so that did not happen, well that is more usable, not less.

But locking down a system *still* requires you know more about the software then most people should care to (default services/software patching/configuration/basic use).

Good defaults, AV like subscriptions, and pre-configurations by security experts can go a long way towards letting the experts secure your box for you.

More importantly, I can treat my users with respect and help them have the best possible experience even under somewhat adverse circumstances. How frequently do you think my XP system has been compromised? Or yours for that matter?

I agree we have to deal with what we have and make the best of a bad situation sometimes. I just think that equating security on Windows and Linux without accounting for the underlying motivational difference is a mistake. As for how often my XP box is compromised, well it is running in VM with internet access that needs to be enabled every time I use it and is filtered through another OS with better security. I also reset it to a known good image for every use, aside from one directory of only data. The issue, however, is not how secure either of our XP boxes is, but how secure the average person's computer is and what we can do to make that a better situation.

Re:So you monopoly is the main problem...

[msimm]

I have no argument for any of these points. Better security would be beneficial and you're right, it *can* enhance usability (it doesn't always, but it can). But my argument was with the original posters rather narrow view that Windows was bad (his refusal to help family/friends who used Windows?) and Linux or Mac was better (sure, in some cases, but *today*, across the board?).

But if we moved into the possibility of Linux taking share, why not flip the coin? What do you think Microsoft would do? Wouldn't *one* option be to open Windows? That is, the BASE operating system as a platform? I could see that happening if they felt they'd risk losing the market altogether. *That* would be interesting too. We've already seen support and patches made available by 2nd parties. There is enough use today to make even a mostly open Windows an interesting idea. You'd have changes to security then too.

But the fact is that being on top *does* mean more targeting. We know this already. The other fact is most people want the same operating system most other people are using. It makes things easier for them, and life is complicated, why blame them.

Since we are unlikely to see the courts really shake up Microsoft the most promising possibility seems to be eroding marketshare. But it will still be a while. The future looks interesting. But when I hear people go off mindlessly parading some OS I'm still going to have the same response. Linux is good, ya, but it's not some magic bullet. And when it is, it's not like the rest of the OS designers are just going to lay down and give up. If it happens it will happen on a lot of fronts. Organically, like everything else.

What? Mod Parent Down.

[mpapet]

I agree that moving files over is a minor issue. But, the other stuff is pure flamebait.

Walking my family through command line installs of libraries
Your printer remarks are equally suspect.

...thousands of dollars....
THOUSANDS of dollars on software for the typical email/browser/occasional document machine? Are you serious? If you are, then it's not my fault they overpaid.

Two Words ...

[malcomvetter]

... Default Deny.

We have seen it in firewalls. We have seen it in military-grade physical security. We have seen it in banking. But, why, oh why, do we not see it with malware?

[Analogy warning] About the best analogy I can come up with that describes just exactly how modern anti-[virus, spyware, threat du jour, or just plain "malware"] is this: Enterprises and home users are outsourcing the task of determining the trustworthiness of software applications that reside on their computers. However, they are forcing the outsourcers (the AV companies) to work both backwards and blind. "Blind" in that the outsourcers are not allowed access to see what applications are actually running within the trusted computing environments (or how well those applications play with others (do they run with scissors?)) and "Backwards" in that the outsourcers are not allowed to simply identify trustworthy software applications-- they're forced to identify the good by ruling out everything that is bad. And we all know that "good" and "bad" are in the eyes of the (ahem) beclicker. [End analogy]

What we need instead is a serious set of solutions (and some are starting to crop up, but I won't cite any because I cannot vouch for their quality) that work in the POSITIVE direction, and not the NEGATIVE direction. In other words, we need anti-malware that simply inventories known good applications, comparing all code execution requests against the guest list before letting them get CPU resident. Assuming that code injection techniques (e.g. buffer overruns) can be quelled by other means (microkernels, randomized memory addressing, read only data memory, etc.), then the likelihood of malware infection with a Default-Deny approach (deny all applications except those on the guest-list/inventory) would dramatically approach zero.

The real problem is ... economics. Anti-[threat du jour] vendors work on subscriptions because they can check for subscriptions before issuing malware signatures (it's the whole incentive concept we see all over again). But, there is no incentive for the customer to check in with the vendor if their tool is just installed and doesn't need re-configuring until the next time a new application is installed (presumably to update the inventory).

And, like many other comments here have already noted, privilege escalation cannot be overlooked. Supposing a default-deny-anti-malware approach exists (and is worth using), if I operate the computer at the same privilege level of the tool itself [regardless of OS], it is possible for malware to disable the controls. And for the clever readers out there, yes, a set of default deny application inventory controls does seem similar to file system level controls--only execution controls further extend the FS permissions to cover the missing gap.

Who cares about behavioral analysis? What behavior I dislike another will certainly like! Who cares about reputational analysis? What you trust, I may not! But, if we all just stop assuming that we can never speak intelligently about the inventory of "good" applications, then we might finally arrive at a solution that ends malware once and for all (well 99.999% anyway, we'd still have to worry about insider-threat ... and at that point it would no longer be a problem (as in a "social problem")).

I guess I went over my two words. Apologies ...

Re:Two Words ...

[drsmithy]

We have seen it in firewalls. We have seen it in military-grade physical security. We have seen it in banking. But, why, oh why, do we not see it with malware?

Because it invalidates one of the primary reasons for having a computer - its ability to act as a general-purpose device and run arbitrary software at the users demand.

There *are* default-deny configurations out there - Windows has had facilities for whitelisting program execution for years - but the biggest problem with doing that is you *blacklist* everything you don't already know about. The next biggest problem is that the whitelist must be maintained by a knowledgable operator or it is effectively worthless.

Re:Reputation does not prevent spread of viruses..

[malcomvetter]

Dang. I guess that means I'm preaching abstinence.

AV? Oh, you meant "Anti Virus"

And here I thought this article was about the OTHER kind of AV... ...

*fap fap fap*

Re:What? Mod Parent Down.

[Mister+Whirly]

Have you ever tried to give support to a technical newbie who decided to "try Linux out" on a suggestion from one of his geek friends?? I have, and it was hell - much more hell than any of my "Windows people" ever throw at me. As stated in my post, Linux is great if you really like knowing the inner workings of an OS and you like to tinker. But 99% of the people could care less how it works and hate to tinker. Windows (or even OS X) are the more logical choice for such people. Claiming anything else is flamebait as well.

With apologies to traditional folk singers:

[StikyPad]

(Sung to the tune of "Old MacDonald", traditional folk song)

sammy baby put too many syllables
In the lines of the parody lyrics
And when a reader tried to sing them
All he got was frustrated

Re:With apologies to traditional folk singers:

[sammy+baby]

Pshaw. If there are too many syllables, surely you're just not singing them fast enough.

Do some crank, try again, and call me back with your results.

A little CEO...

[triso]

Over a course of pesto-drenched gnocchi and sauted mussels with Trend Micro CEO Eva Chen...

I love a little CEO on my mussels. Yessiree!

And to think

[Chiaro+Meratilo]

I thought this meant "it's bad for your health to use AV software".

Impossible with Windoze

[flyingfsck]

The Common Criteria configuration of Windows XP disables 56 unneeded services. However, the process list only shows 37 after the default install. So Windows is running a huge heap of shit that most people don't even know is running and which are impossible to stop by normal means.

So, how did your friend disable all those things???

Re: Example

[mpapet]

The Windows NT (which all Windows versions since XP are derived from) security model is comprehensive, powerful and granular..

If it's so great then why can't I just put an unpatched windows box on the internet with a public IP?

It has always been possible to log on as a safe unprivileged user for normal work.

Now that's just nowhere near the truth. I've got a stack of games that don't work in user mode. Intuit applications don't run in user mode. Furthermore, blaming resellers for Microsoft's design failures has no basis in reality.

Microsoft's alleged priority of patching of WMP DRM failures
See here for an example: http://yro.slashdot.org/article.pl?sid=06/09/07/18 14232

Re: Example

[drsmithy]

If it's so great then why can't I just put an unpatched windows box on the internet with a public IP?

For the same reason you can't put an unpatched UNIX machine from ~7 years ago on the internet.

Now that's just nowhere near the truth. I've got a stack of games that don't work in user mode. Intuit applications don't run in user mode. Furthermore, blaming resellers for Microsoft's design failures has no basis in reality.

No software developer has had a remotely justifiable excuse for releasing software that needlessly requires an Administrator level account for nearly a decade now. It is *most certainly* something that can be blamed 100% on "resellers".

It's pretty obvious from this and other postings you have made that you have absolutely no idea whatsoever about the architecture of Windows and, most likely, any other OS. You're just a standard anti-Microsoft FUD mouthpiece.

Re:What? Mod Parent Down.

[chthon]

You should not transfer in one step.

I have only moved my father to Linux, but it was worth a while.

I started with dual booting his Win95 system to get rid of Internet Explorer and mail issues. I created three partitions, so that he could exchange data between the two systems. He used Linux for connectivity and Win95 for the rest.

Some time later, I prepared a complete Linux system for him (Debian+ KDE 3.5). We kept his old system with a network connection, so that he could access it using VNC.

The only things for which he calls is to know about the functionality of programs. He uses OO.o, GIMP, QCad, Sylpheed, and is able to use his printer, scanner and camera. If he calls because he has problems, he either finds it himseld, or I am able to trace it together with him, and its always because he has forgotten something (which would be the same under Windows).

This particular migration took 6 years. This was because a whole lot of desktop functionality was missing and was only added incrementally. The last one to enter (about a year, a year and a half ago) was support for USB drives in KDE (it was available longer before in GNOME).

I think, currently, the only difficult thing in migrating someone from Windows to Linux, is to have a usage, software and hardware inventory upfront, and based upon that finding out what the possible options are for hardware support, software equivalents and data migration.

Re:Reputation does not prevent spread of viruses..

[malcomvetter]

And I guess this T-shirt wraps it all up.

Make more agressive anti-virus software

[cppgenius]

Anti-virus software plays too nice with viruses. It needs to be more aggressive. If viruses don't play by the rules by infiltrating all kinds of places on your system, why can't anti-virus software follow the same route in sever cases. I mean a system plagued by malware can't be damaged any further if your AV goes a bit hard on your system to get rid of the malware. One thing for instance. There is nothing more annoying than installing an AV package on an infected machine only to find that the malware is disabling the setup program. Then you start into Safe Mode and now the installer doesn't work because it depends on the Windows Installer. Why the hell did you purchase the software in the first place, it is much cheaper to format the hard drive in that case. I know that making AV software more aggressive can lead to system instability, but I'm not suggesting AV going haywire in your Windows Registry or getting rid of stubborn files by causing bad sectors on your hard drive. I'm simply suggesting that you make AV software so that it can go to the same underground levels on your system than viruses and not bow to the supremacy of some nasty viruses, rootkits and trojans.

Re: Another Example

[mpapet]

What's this? A story that methodically reviews OS's for network security and finds Linux good and Windows uhh, lacking.

http://it.slashdot.org/article.pl?sid=07/03/29/171 7234

It's reasonable to state windows XP/Vista the most vulnerable OS when comparing windows and Linux. No FUD necessary.

Re: YET Another Example

[mpapet]

But, I thought windows was secure?

http://it.slashdot.org/it/07/03/30/1311247.shtml