Slashdot Mirror
PEBKAC Still Plagues PC Security
Billosaur writes "ARS Technica is reporting on a study release by McAfee and the National Cyber Security Alliance (as part of the beginning of National Cyber Security Awareness Month) that suggests when it comes to PC security, the problem between the keyboard and the chair is even worse. PEBKAC has always been a problem, but the study highlights just how prevalent it has become. 87 percent of the users contacted said they used anti-virus software, while 70 percent use anti-spyware software. Fewer (64 percent) reported having their firewalls turned on, and only 27 percent use software designed to stop phishing attempts. Researchers were allowed to scan the computers of a subset of the users, and while 70 percent claimed to be using anti-spyware software, only 55 percent of the machines of those users scanned showed evidence of the software."
I use Avast free home edition anti-virus program and that's it. No firewall (and I turn off the "firewall" that comes with XP) and no anti-spyware programs. And in more than 3 years I have had zero malware of any sort on my computers running XP.
The secret of my success is that I also don't use Internet Explorer (except for the Windows Update website, cause Microsoft makes me). That one step protects me from >95% of the malware. The other 5% is handled by Avast and Firefox. And I don't download and install "free" programs and games.
Boycott Internet Explorer (and all of the loss of security, privacy, and control of your own computer that goes with it), use Firefox and a good anti-virus program, and don't do stupid things on the net and you're golden.
The NSA: The only part of the US government that actually listens.
GnmmmehfriSTTGnn!
Have you read my blog? Neither have I.
The problem is between the computer and Microsoft via the tubes.
...And in more than 3 years I have had zero malware of any sort on my computers running XP.
That you know of. A lot of zombie-related malware is intended to be very stealthy.
"I'd rather be a lightning rod than a seismometer." -Ken Kesey
Nothing is ever, EVER going to be idiot-proof.
Because idiots are both highly prolific and highly creative.
Unless the world standardizes on a single platform, and never, EVER changes it again, this is always going to happen.
It's a matter of "that's not how I learned it" or "I never learned it", and they wind up making the systems do things they aren't supposed to.
It does, however, go to show you that even hordes of security professionals can't be collectively omniscient.
As always, "security" is a PROCESS, not an endpoint, not a product.
Chas - The one, the only.
THANK GOD!!!
that this really is not news to the crowd that hangs out here on /. We promote good security so much because we already know what the above mentioned article states. It is nice to have some numbers, although I'm always skeptical of "facts" on the interwebz.
"Some books contain the machinery required to create and sustain universes."-Tycho
when it comes to PC security, the problem between the keyboard and the chair is even worse.
And the problems are magnified even more depending on what kind of chair you're using.
The theory of relativity doesn't work right in Arkansas.
If you combine PEBKAC with the nightmare OS that is Windows, you see the dark and terrible Hell that has been created. Granted, it is true that alot of people who use computers don't deserve them, but everyone feels they are entitled to them. Really, the majority of people haven't earned the right to use computers, because they have no discipline to do so. But they will anyway, because there is money to be made. Its like giving Guns to chimps.
I started on Tandy 1000 286s, and Commodore 64s, so I have that discipline, that experience, I learned how to walk before I ran, and ran before I flew. But that just isn't the way our world works.
Do realize that the actions these insecure people with irresponsible habits take affect the lives of millions of people through scams, and DoS attacks.
So let's see, it's not software that is broken and buggy, but rather the problem is the users that 'inadequately' act as an insanely complex added layer of security, managing a bunch of brain-numbingly-unrewarding security layers.
/etc/selinux/....)
This article reeks to me of a security industry that is proactively trying to cover its ass, primarily because of the fact that the only reason they thrive is because microsoft 'needs' to keep it's source closed, and the public 'needs' an illusion of security.
Sorry, but I've recently gone through about my 5th runaround of giving selinux-Enforcing an honest try, and realizing yet again what an utter pile of useless shit it is (for the vast majority of Fedora users at least). (review my past comments which I won't argue over again... or just laugh as setroubleshootd tells you how the solution to your problem is to reboot and force a relabel... pulling in hardcoded path state from
Wake up and smell the insecurity folks and get used to it. Don't say anything within earshot of a mobile phone's mic that you wouldn't feel comfortable with any telecom employee overhearing... or anyone those employees might give network access to...
It's a brave new world. Don't give me this shit that the users are to blame.
The error can be found in the operating system please remove all traces of the virus called Microsoft anything. Install linux, Freebsd and then rtfm! You will see your intrusions drop to 0%
some people are a "glass half empty" some are "glass half full" i'm a "there is something in the glass be happy" person
Similar here, but I've run XP, *no* AV, *no* anti-spyware etc for 4 years. I do have a firewall/wireless hub for the house. I browse with Firefox only, and thats kept up to date and has Adblock and NoScript. My mail is scanned (although quite a few nasties sneak through).
My wife is computer illiterate, but she knows she's only supposed to open a small set of attachments and sees me about the rest. She knows not to open anything she doesn't recognize.
4 years, no viruses/spyware etc. I've tried a couple of those online scans and they came up clean.
However, now the kids are starting to use the PC.... I've switched to Ubuntu. I not convinced I can set up an XP machine that can't be infected by them.
That switch was a *major* pain. Switching MSmoney to gnucash, losing Photoshop, copying outlook mail history to evolution, loss of PDA syncing, blah blah blah.
This Slashvertisement rates a 4.2 out of 5.
It caused many readers to wonder, "if McAfee has an all-in-one package that can handle all my anti-spyware, firewall, anti-virus and phishing needs?". However, McAfee was unable to get the actual product it was trying to pitch in its press release on Slashdot.
Well done (though not perfect) - another high-five to my those PR pros!
They're trying to suggest that AV installation rate suggests the users are incorrect...
But no AV protects against threats that don't fit their filter. Only the user is capable of detecting new threats, before signatures are updated.
Personally, I run no AV, or any other 'security' features on my Windows (gaming) boxes, and never have a problem. (Occasionally downloading a scanner if I suspect something.. only to discover an OS "feature" was the real issue.)
Their assertion is accurate - most of it likely is due to terrible users, but their metric is completely wrong.
is that with our computers today, all that it takes a run-of-the-mill PEBKAC to screw things up.
One day, we'll look back at PC security of today and laugh at the crap one had to go through just to not have your typical PC go down in flames.
Just a thought.
Anyone care to explain how this acronym works?
sig.
I love that we're blaming the security problems caused by crappy architecture and coding on the users (the implication I take from PEBKAC in this context). Not only are we incapable of fixing the security problems the way they ought to be fixed, our patches to them (firewalls, antivirus and antispy software, etc.) require constant maintenance as well, and even then they don't work that well.
Sure, it's a hard problem. But I think it's ridiculous to blame security issues (beyond their downloading and installing spyware manually) on users.
Problem in Chair, Not In Computer. PICNIC.
That's the phrase I heard used to describe this condition.
ID 10T
So. I dont use anti-pishing software but then I dont just click on shit either.
problem EXISTS between keyboard and chair
as computers have become more powerful and versatile and the software more complex, the average user has a choice -- either become a nerd who follows all news, and spends large portion of their time learning about new technologies, how they are integrated, what risks are there, etc.; or ignore the problems, _trust the vendors_ to mostly do the right thing, learn the part of the interface they care about and react if they get hit. it is just not realistic to expect a user to know a lot about computers, as it is unrealistic to expect that a sick person can successfully self-medicate themselves to health.
so, while the problem is between the chair and the keyboard, it is between the chair and the keyboard of the people who create the software, and not the people who use it. mostly.
Can't wait for the "disciplined computer user" licenses, we can lock all those computer illiterate retards out!
I am sure there is a Ipecac joke in here some how but I can't think of one off the top of my head. by the way the family guy episode with the Ipecac drinking contest always makes me nearly piss my self laughing. http://www.milkandcookies.com/link/33774/detail/
Yes, users don't understand computers very well, that's true. Computer companies, however, should build this into the design, and minimize the amount of understanding and knowledge that users need to deploy to use computers. Blaming the users for the failures of the software industry is lazy, dishonest and self-serving.
Are you adequate?
PEBKAC is English, whereas PBKAC is Slovakian.
Problem Exists Between Keyboard And Chair...
... the official /. version of "In other news water is still wet".
Every antivirus software I've ever installed acts exactly like a virus. It runs processes I can't kill which spawn new processes, it can't be fully uninstalled, it takes lots of resources, it trys to phone home all the time, and annoys me with popups. Is there any good anti-virus scanner for windows that doesn't change the registry and can be run on individual files or directories when you direct it to? All of the ones I've tried want to take over your system.
The problem is between the computer and Microsoft via the tubes.
Bullshit; it's not just Microsoft. A long-standing complaint of mine about Apple Mail is that it does not show the true URL in an HTML email via tooltips or any other method. The only way the user has to see the URL is to copy it, then manually paste it into the address bar in Safari or Firefox. So, "Click here to login to your account" is impossible to verify without extra work.
It'd take one engineer about 10 minutes to code in such a display, and they can't be bothered. But OH BOY, in Leopard, I'll get fancy pre-formatted emails to use for sending vacation photos!
Similarly, for all the fuss about how secure and better Ubuntu is, you have to recompile Netatalk with custom options (and the instructions provided don't work) to enable secure login. Why? Because of OpenSSL/GPL licensing issues that have existed for several years. Has anyone bothered to rewrite the hundred or so lines of Netatalk code to use GnuTLS instead? Nope!
PS: For those of you about to tell me "use samba", Netatalk handily outperforms samba and supports full MacOS filenames.
Please help metamoderate.
Pick your poison: ... ... ...
Problem Exists
Possible Error
Probable Error
I'm sure you could come up with more, but those are the 'official' entries as I've heard them.
----- - The beatings will continue until morale improves
None of this info really seems useful or reliable.
13% don't use antivirus... how many are Mac or Linux users?
30% don't use anti-spyware stuff... how many are running OSX or Linux (again), or are browsing with scripts and other stupid things turned off?
73% don't report using anti-phishing software... doesn't IE have that on by default now? So the users are almost CERTAINLY misinformed about this one; they've got protections running they don't even know about.
Same for firewalls. I know both OSX and Windows XP and Vista have software firewalls, and I think the Windows one is on by default. (I recall having to manually activate the OSX one, for some reason.) So how many of those users just don't know they have a firewall running, or that the shiny shield icon in the "security" panel is called a "firewall"?
This looks like an anti-virus advert (or a close variation thereof.)
In my history of major computer usage, I had three "infections" that I had experience with. Of these three, I do admit I was a little foolish with one of them, but they have all been purged entirely. The anti-virus or anti-spyware only served as a reactive approach, and weren't effective in preventing the software from entering in the first place (in spite of the AV software displaying a warning that a program was infected.)
The only way to prevent virus infection - don't blindingly auto-execute whatever enters your system, and don't blindingly allow changes to the startup configuration.
How we know is more important than what we know.
...caused by n00bs!
Am I the only one who disagrees with the premise of the article? I don't run an anti-virus program because there are virtually no virus programs attacking Linux. I am not part of the "only" 27% that use anti-phising softare because I don't need a computer program to tell me not to click on "We're closing your account unless you give us your password" emails. I'm also curious about the articles discrepancy between 70% of users claiming to have an anti-spyware program vs 55% "show[ing] any evidence" of such a program. I claim to have an anti-spyware program installed, Konquerer, which doesn't use ActiveX nor Java (except for select sites), nor will it download, compile, and run as root arbitrary programs some random site wants to serve me. But I'd bet money that McAfe would count me with the "no user" site.
And worst of all, according to both the article and the Slashdot summary, I am a "problem" user due to not properly securing my system.
I disagree.
This is so true, so very true
That you have to know such details is evidence of the complete security failure of non free software vendors.
Worse, you are wrong. You can avoid IE because it's embedded in many applications and it's far from the only hole you need to worry about. In most tests there is no operator, just a default install plugged to the net.
Free software is not perfect but it's much better than windows. While windows takes 12 minutes on average to become part of someone's botnet, GNU/Linux systems typically take months. Even if this is only due to the "popularity effect" it's not likely to change because there are so many different GNU/Linux distributions that vary build options and order of software load. GNU/Linux will never be the kind of easy monoculture target that Windoze is and it's users will always be better off.
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
... for the crappily insecure, services tied to ports, admin rights for all, Windows that they've been selling (or rather imposing on to) people who buy PCs. I mean they stuck IE in there and added wizards for connecting to the Internet right? But they never bothered to fix all the security holes. Why should I have to pay for AV and firewall - THEY should pay - so I want my money off them. Who's with me?
I mean they don't sell cars without brakes do they?
Loose nut between the keyboard and chair. Please use the correct terminology :)
1) posts concerning stupid user anecdotes, and the perils of stupid users
2) posts concerning elistist administrator mentality concerning users and the perils of treating users as the problem
3) posts concerning effective training
4) that ac who always posts that longass vulgar post.
Thank you and goodnight
Ice Cream has no bones.
Just because the users are stupid and run Windows as administrator, doesn't mean the OS itself is insecure.
PS: I am posting this from my Kubuntu Feisty machine.
new news, people break computers, anyone who thinks they have an idiot proof computer program just hasn't met the right idiot.
Blazing Spiders
There's a number of separate issues here:
1) IMHO, it's impossible to protect users from messing with their own data, IF you want to make systems useful. A good option could be a versioned filesystem on a remote server (outside direct control of the user), where old versions of his/her files could always be retrieved. Without that, a user that says: "delete file XYZ on my local drive" will just do so, regardless of whether that was the intended or sensible thing to do.
2) It's next to impossible to make the complex software systems of today 100% bug-free. So you always have the chance that some program fucks up (remotely triggered, on purpose or otherwise), and screws up user data. A sensible (automated?) backup strategy should protect you from this one though.
3) And then there's the OS kernel, core libraries, hardware drivers, bootup files etc. This should be the easiest part IMO. It should be possible to have systems where users can fuck up their own data, and sometimes get hit by crappy/malicious programs, but where the base of the system remains functional and reliable, regardless what happens to everything running on top of it. When I consider it's about 25 years ago I first got familiar with the concept of a personal computer, I am really *AMAZED* the IT industry hasn't even reached this point. Is it really *THAT* hard to design software systems where users can add & remove 3rd party packages or update non-essential components, without endangering the core functionality of the system? That's not a user friendliness vs. security, but an overall system design issue.
Problem exists between keyboard and chair
I don't want to talk about that because I'm not the most qualified person in the area to comment on the issue. I have my perceptions, I'm probably going to shoot myself in the foot by proceeding further and embarrassing myself.
Does it strike anyone else here as strange that the user is blamed for the virus/spyware/phishing? The user didn't create the problem, so PEBKAC is false. These numbers merely report how many of the poor sods aren't capable of defending themselves against the attacks of those with questionable moral fibre. Now not only are these users having difficulty with using their computers, they are being blamed for the actions of those causing the trouble.
Looking at the article i would assume n=378 is the number of participants. If so isn't that a little on the low side no matter how they are picked?
:(
A subset of this would have a pretty big margin of error would it not?
Most studies i recall use more than 1000 people to get to 3% error, not knowing the subset (or the set for sure) wouldn't a margin of error nearing 10% be entirely possible?
This would seem to invalidate the whole thing pretty much (in case the MacAfee tag didn't do that already!) This would leave the only significant info being some of the anti-phishing and anti-spam stuff.
So...
More people say they have anti-phishing and anti-spam than do. Kinda redundant since the only dangerous spam is phishing.... and avoidable without software.
and
A lot of people have outdated AV. This has been the case for almost 20 years....
Had a few problem on office machines that could not run our software,windows,AND AV all at the same time but nothing major.
Personally no problems except for Michelanglo that turns up on my old disks every now and then that tries to infect my 386 (CPAV 1995) and got my XT again
Slashdot is a bit like having a site for steam engine enthusiasts who sit around talking about how the average user doesn't grease his flange compression ringlets between fly wheel alignment cycles, And then having a good old laugh at them while at the same time being a smug prick.
These people may have more malware, but i bet they get laid more often.
God Be Gone
Or shouldn't be.
Most computer users, at this point, have about as much skill with computers as we started out with driving -- we know that when you turn the wheel left, it goes left. When we turn right, it goes right.
Most computer users know two things: point and click.
With cars, beyond that, we either learn from experience or from a mandatory Driver's Education. We know that you have to have insurance, and you have to change the oil every now and then. We know to get license plates, we know where the brake is, and where the clutch is, and how to adjust the mirrors, and how to signal a turn, and not to drive drunk, and not to pick up hitchhikers.
With computers, there are two big problems. One is the lack of good education -- there really isn't much to span the gap between the Video Professor and UNIX Man pages. The other is the general attitude of most users -- no matter how much or how little you know about a computer, you always assume you know enough. They arrogantly refuse to "become a nerd" by even learning basic things like what a URL is (checking the domain is an obvious way to spot a phisher) or how to update their computer (even when it's ONE FUCKING CLICK, they will never do it, and if it's automatic, they'll never notice or care if it didn't work).
You can argue all you want about how unrealistic it is for a person to be expected to know how to use a computer -- but think back to cars. Where would we be now if, instead of 50 years of engineering going into design, fuel-efficiency, and safety, we had 50 years of engineering going into cars that protected themselves from you, the user. Not the simple, obvious stuff like automatic transmission and anti-shock breaks -- I'm talking about using GPS to detect you about to drive off a cliff or into a river (and stopping you)... Hell, we TRIED some similar stuff, with automatic seatbelts, and everyone hated it.
I volunteer to teach driver's ed for computing, but if you don't know what a file extension is, you shouldn't be using a computer.
My antivirus is called Mac OS My anti-phishing software is called Common Sense
The only time I have a problem between the keyboard
and the chair is... when I visit porn sites...
but maybe it's just me.
Even security software is often pirated and bundled with malicious stuff, it is just greed at every step and somebody surely takes advantage of that.
especially if they're linux fags or muslims.
To all of those who are crowing that they haven't run virus protection or spyware scanners in xx years. Why are you proud of this fact. I get it that viruses aren't as prevalent as the media wants you to believe. I understand that FUD is everywhere. I get and agree that saying you are "probably infected and just don't know it" is simple paranoia (and is treatable, I hear).
That all being said nobody has given one single reason why they don't run virus protection or spyware scanners. Is there something wrong with being a little paranoid?
I haven't been hit with a virus since I last let a student friend use my computer and put her school floppy in my computer (that should tell you how long ago that was). However, that doesn't stop me from having a hardware firewall, virus scanners on every computer, Ad-Aware pro, and other shit I'm not going to get into. It's just cheap insurance and nobody has given me a reason that I would be better off not buying that insurance.
Do you drive your car without insurance? Do you drive without buckling your seatbelt and leave all of the windows down so that you will be "thrown clear" in the accident?
Sticking your head in the sand may make you feel good, but don't kid yourself that it makes you safer!
The problem is not that users fail to use anti-virus, anti-spyware,
anti-phishing, anti-left-handed-metric-wrench software.
The problem is that users CHOOSE to use operating system and
applications which are so miserably designed and written that they
are susceptible to these problems as-shipped by the vendor(s).
(I take the position that any OS which needs anti-virus software
to survive in the wild is clearly broken and should never by used. By anyone.)
Anti-* software is a band-aid. Its use is a clear indication that the
product it's trying to band-aid is broken. And anyone deliberately
using known-broken products should not be very surprised if Bad
Things happen as a result.
It continues to amaze me that anyone is surprised by this --
although I suppose by now I ought to have gotten accustomed to
this state of affairs. [Some] people install obviously defective
operating systems (e.g., any version of Windows), use obviously
defective mail clients (e.g., Outlook), use obviously defective
web browsers (e.g., IE) and then actually expect that they can
somehow make up for this series of stunningly poor decisions
by installing enough add-ons. It doesn't work, of course, which is
why we see hundreds of millions of infected systems out there,
spewing spam, conducting DoS attacks, poking at web servers,
brute-forcing ssh servers, and so on.
My point being that by the time the conversation has gotten to
anti-* software -- it's too late. The damage has been done, and
there's no undoing it (despite lots of wishful thinking and the
earnest assurances of anti-* vendors, who of course, let's not
forget, have a substantial profit motive).
(Ah. About this point, some M$ apologist will raise one of the
usual canards -- for example, "M$ products are attacked because
they're popular". Not true, of course; M$ products are attacked
because they're miserably weak as a result of incompetent design
and even worse implementation. M$ is hardly alone in this, it's
that for some inexplicable reason, it seems to attract the most
defenders -- despite the fact that as possibly the most well-funded,
well-staffed, well-equipped software company in the world...it
has repeatedly proven that it can't even write a decent mail client.)
So. These studies shouldn't ask questions like "Are you using
anti-spyware?" They should ask questions like "Why are you dumb
enough to use an OS/application software combination so badly
written and maintained that anti-spyware is deemed necessary?"
There is. Just about every Linux distro you could name, apart from Studio64 because it's stupid, leads users to install and recommend Linux distros to other users. As far as I know, they all include ed.
There's your malware propagation right there. Whilst ed doesn't harm your actual PC, it is so horrendously damaging to the PEBKAC (Person or Entity Between ... etc) that it is by far the most dangerous malware in all history.
I don't therefore I'm not.
...to protect the end user from himself. Programs do require chmod +x to be run, but there in another opportunity I like very much: it is possible to forbid the end user to execute programs from a folder which owner isn't root. So the user would need to:
./malware /bin/
/bin/malware/
1. download malware
2. chmod +x malware
3. su
4. cp
5.
6. ???
7. Profit! (Sorry, couldn't stand it)
As for me, I don't have any anti* software. I have a firewall (the real one, not some "this app is trying to connect to the internet Cancel/Allow" one), Gentoo Linux with portage-only software, no custom installations, recompiled kernel and Common Sense as the major line of defence against phishing and trojans.
I know that my system is well-protected yet I still don't click those stupid links and don't open attachments in suspicious mails anyway even although the malware will not work on my system.
I like the idea of computer user's licence similar to driver's license, but, unfortunately it is not possible.
TEN years now since Microsoft deliberately introduced an inherently insecure design to try and make an end run around their agreement with the DoJ and nobody at Microsoft has gone to jail for it. And that's despite the zillions of dollars and man-years and sanity points that have been wasted by people trying to patch it and deal with it and who just plain suffer from it. I'm still amazed.
Dealing with PEBKAC is a daily occurrence. Not a day goes by where PEBKAC isn't be found on the other end of some tech support call. It doesn't matter what type of application you're supporting either. Insurance software, software for translators, you name it! I am just amazed sometimes. I realize that it is not everyone's "thing" to know how to use a computer, much less maintain one, but some of these people would be in serious trouble of breathing weren't an involuntary action. How do they not run themselves over with their cars?
To all of those who are crowing that they haven't run virus protection or spyware scanners in xx years. Why are you proud of this fact.
Because I've been a network administrator herding a 100-400 programmers plus their administrators and secretaries and sales guys and so on, for 20 years. And I do protect myself.
* Don't use Windows at all unless you have to.
* If you have to, don't use any application that uses the HTML control on untrusted content.
* If you have to, don't run any services on it you don't need.
THAT is "protection".
If you don't do that, you're having unprotected sex with the Internet.
Using Antivirus software is like taking prophylactic antibiotics and interferon and RU486 every morning. And like taking drugs you don't need, antivirus software can cause problems just by running it. It can crash your programs, lose your data, and false positives can cause you to waste time.
When someone new to our network was having problems, first thing I typically did was turn off ZoneAlarm on their computer. That gave me an opportunity to make sure they had a recent non-IE browser and a non-Outlook mail program, and let them know of our corporate policy on IE and Outlook (which was 'you don't use these programs on our network').
We had no virus outbreaks until we were forced by the parent company to standardize on Macafee antivirus and IE, turn on the Microsoft remote administration tools, and so on... and when the company got hit by the next worm we got it too. First time that had happened since we started seeing the virus storms come through five years earlier.
Do you drive your car without insurance? Do you drive without buckling your seatbelt and leave all of the windows down so that you will be "thrown clear" in the accident?
Nope, and I don't drive my computer without a real OS, and I don't use Windows without disabling as much IE as I can, and I don't run antivirus software so that when I'm infected it'll tell me it's deleting critical system files because they can't be repaired.
Sticking your head in the Windows may make you feel good, but don't kid yourself that it's safe.
but everyone feels they are entitled to them
Because Microsoft has spent the last 25 years telling them that. Now, there's nothing wrong with this, and it's a good piece of marketing, except for the fact that Microsoft decided that every app, every piece of functionality that Windows offered, was a hook into the OS that could be easily exploited. Remember when Office was, essentially, the Microsoft Virus Development Kit? Up until about Windows 2000, almost every single thing Microsoft did compromised security for the sake of functionality, and we've been living with the fallout of it ever since. And of course since Bill Gates was so wise as to not even acknowledge the Internet until it was sitting on his concave chest and dangle-spitting in his face, the acknowledgement of the need for security languished for years longer than it should have.
Everyone should be entitled to computers, IMO. Unfortunately, there is no operating environment which anyone can safely and securely out-of-the-box use while remaining completely ignorant of security. There will be some day, probably soon. OSX is probably the closest. Vista is probably pretty close by virtue of its heavy-handed, boat-anchor approach to security, but who wants to use an OS that renders your hardware to a tenth of the performance it should deliver? Using a low-end Gateway laptop (which would run XP just fine) that came shipped with Vista was literally the worst computer experience, in terms of performance, that I've had since my floppy-based Amiga 500 almost 20 years ago. Who is worse at fault here? Gateway for rendering a fine piece of hardware almost useless? Or Microsoft for letting them? Good thing Ubuntu runs on it just fine, and it feels as speedy as a much beefier machine for simple day-to-day stuff (e.g., NOT raytracing or gaming).
You are in a maze of twisty little passages, all alike.
What's wrong with XP SP2 security wise?
For one thing, between XP, AV, Anti-Spyware, and the million and one things that are constantly poping up warnings and wanting to update themselves, the users quickly become desensitised to what's going on on their computer. Take OE as just one example. It gives the user a dire sounding warning every time they open any kind of attachment reguardless of wheather it's something really dangerous or not. Of course they can turn that off but then they don't even get warned when running an exe attachment. Don't forget, OE is pretty much single handedly responsible for getting users used to html email, you know the most common phishing method. IE is even worse, they've spent years training users to accept ActiveX content even though they knew full well that it was dangerous. Sure they have 101 different security options as well several different "Security Zones" but in practice if the user actually changes ANY of it they end up having to click OK fifteen times just to view a simple web page so instead they all just put things back to the default "bent over" position and call it a day.
Just because the users are stupid and run Windows as administrator, doesn't mean the OS itself is insecure.
It's not stupidity that keeps people running as admin, it's the fact that doing so is almost impossible for the sorts of users that most need the protection. Not only do many common programs require admin privs. but when they do require these privs. they don't just tell you so, instead they just fail in pretty much any random way they feel like, you know, the way Win apps have been failing for decades so the user usually doesn't know that it's a permissions issue. All they know is that when they run as a non admin their $50 win-printer doesn't work. If they actually manage to work out what's going on they may try using Run As but that only works about half the time because the elivated permissions arn't inherited by other programs that the initial program may spawn. Eventually, even users who are aware of the dangers end up going back to running as admin because anything else is just too hard.
The problem is that if the user can kill it, so can the virus.
The virus shouldn't be able to start running so it can do that. The APIs and network protocols should be designed so that BY DEFAULT no untrusted content even has a mechanism to request that it be run, and to actually run any the user should need to explicitly navigate to the document through a separate user interface (eg, a file or download manager) and explicitly ask to run it.
That is, the browser should not EVER automatically give you the opportunity to run a file that you just downloaded. Not though ActiveX, not through installers, not through a helper application, not through "open safe files after downloading", not through anything. The browser should not allow newly installed applications to enable helper applications or plugins... the user should request that. There should not be any path by which, from normal browsing of the internet, you can execute newly downloaded code or previously downloaded code that the user has not explicitly requested be run.
Period.
There are ways to do this without making things inconvenient. Hell, I can't imagine any reasonable API that's more inconvenient than what nativirus code and other non-solutions puts you through.
Because...
Security is like sex, once you're penetrated you're fucked.
Once that virus is on your computer, and running, you've lost. You're owned. Your antivirus MIGHT catch it a few million clock periods later, but only by putting so much extra code in the critical path on your computer that it's amazing it runs at all.
The place to fix the problem isn't the figurative "next morning" after the virus has already run. It's to keep the virus from running. Only Windows and IE put out the welcome mat and nail it down so that the morning after pill is the only solution people can imagine using.
The problem is between the programmer's chair and the programmer's keyboard: programmers are responsible for making security dead simple. Users just use the stuff.
This one of the most elitist pieces of crap I've ever heard.
It is in fact the case that most people who write published software should be keeping their crap code private. It is they who do not have sufficient discipline or foresight. However, they will continue to write broken software because there is money to be made. Responsibility for the disaster we call computer security falls squarely on their shoulders.
Damn serfs, getting computers. I wish we could put all stupid people on an island somewhere and just kill all of them.
Relax I just want some peanuts.
That is stupid. Users have a right to own their own software and hardware. Users, customers, and people do not buy a license to use software. Nor do they, for the most part, lease hardware. They buy it, and they own it, and it is theirs. What you are suggesting, is selling criplled machines under the guise of security.
/. alone for examples. To say that even with the information an attacker could not break your Hard Core security model is niave at best. All code has bugs. All security models have holes.
/.
Aside from being moraly retarded, it still ignores the issue of human nature. All it would take is one person that has some of these "root passwords" to sell them, or leak them, and users machines could be compromised and they would not even be able to detect it. It will happen, sooner or later. You cannot say that the info won't be leaked, Social Engeneering, lapse of judgement, or outright theft could all cause the leak. Look at the recent history of leaks on
As I have stated above, your idea does not solve the problem, and is an insult to users of whatever product you make with this idea in mind. Further, for it to be effective you must get people to use it. How would you do that? Even good Software is not enough to compel users to switch if what they are using does the job at least medocore. Look at the number of people using Windows, and Office. This is evidence enough that people won't change. Would you have governments regulate that this security must be used? Certianly this scheme must be a DRM like scheme if it restricts the rights and privleges of users on their own machines. Would your "qualified professionals" support this? Let's just ask some of them here on
Your poorly laid out suggestion also ignores another key question: Who would determine which ones of us are "qualified professionals"?
If users don't control their own machines, Someone must. They will need this "root password" to to software upgrades, install trusted and usefull software (we can't let users do this or the point is moot), do system upgrades. If every nimbwit @ best buy's geek squad can get this access then systems will still be infected, because some of these people are dumber than most users we are trying to protect. They would, at the very least, use their access to unlock their home machines. Then they are victim to all the same tricks and exploits they are now. If you restrict it too much then people won't want to use your platform, and will either use something else or get very upset until things are changed. Of course then we need to decide who picks the "qualified professionals". I don't want you picking them, and I bet you don't want me to. Neither of us wants lawmakers to pick them. Microsoft wants Microsoft to pick them; others disagree sharply. This is another non-trivial issue your moronic idea fails to acount for.
In short:
Piss Off!
Windows and Chair.
Um, no. You ran as fast as you could on those Tandys and Commodores, which inspired you to run on to the next thing when it came out. Get off your high horse and quit whining about all the "stupid lusers". I think people like you are the only ones feeling "entitled" to anything.
Just because the general population didn't feel like screwing around with four color graphics and swapping floppies doesn't mean they are somehow inferior to those of us who did. They see computers as usable now and are overwhelmed by the IT world we created. Show them how to do it and explain why best practices are best. Make them learn every step of the way and stop rolling your eyes, booming "Moooove!".
Basically, the first commandment of dealing with others is:
Thou shalt not be such a Douche.
Shift happens. Fire it up.
How is different from AV products prompting to update, to Azureus prompting to update, to KNotifier (or whatever the KDE update checker is called) asking me to install updates in Linux? This is far from being a Windows security issue. This is simply software update/interface problem. Yes people get fed up. Imagine if the planet was running Ubuntu, I bet that within months many people would switch to root because they'll be fed up with the password prompts for everything. Again, the problem is not Linux security, but people. If people are too lazy and stupid to understand security basics, let's not blame the underlying OS.
As for RadioactiveX components, I've been using Firefox for about 3+ years, if not more, have yet to see one major site, hell, one website, asking me to install a component. On the corporate side, a competent AD administrator will lock down every single station easy.
Finally, for "Run As" and people running as administrators, if software is written to be run only by administrators, then it's the software maker's fault not the OS, it's shitty software. Do you blame Linux (or Windows) when a shitty ATI driver crashes? No. I've been running Windows as a "peon" user for over 6 years now. The only programs I had to run with "Run As" where CD ripping/burning programs (Nero 7 allows to run as non administrator). Rest all worked fine: Office, media players, email, browsers, media transcoders/editors, Visual Studio, Eclipse, name it. And unless I am mistaken, if programs use basic CreateProcess() API to spawn children without SecurityToken fiddling, they should be fine. This is what Microsoft does, fire up CMD.exe as administrator and whatever process you start within that command box is running as administrator.
Windows XP SP2 and beyond has a very nice security framework. Perfect? No. A nightmare"? Hell no.
Several of the top viruses of 2006 were over 2 years old (according to a report by Sophos). Obviously there was anti-virus protection available for those threats but many, many people aren't protecting their computers. It's no wonder why creating huge botnets continues to be so viable.
I dont use any special anti-virus software, anti-spyware software, or anti-phishing software, and if my firewall was turned off I wouldn't have access to the Internet (Routers dont work very well when powered off). Oh, and there is no such thing as a 'software' firewall.
Virus makers tend to target a different platform than the one I use, since its underlying design is easy to code such things for. Ditto on spyware.
I dont need anything other than my own wetware to avoid phishing, mostly they are bleeding obvious, because I dont have an account at the institution/site they purport to come from. For those institutions/sites that I do have an account with, its almost as easy. A combination of not using email software that lets email 'disguise' URL's as anything other than the actual URL, some basic common sense about what those institutions are likely to email me about and when, and for anything that gets past that, I still ignore the email and instead log into that site directly (using my non-virus-and-spyware-susceptible software&platform) and if the email was something to be concerned about, there would be a notice there.
And I dont need any 'extra' software to protect my machine from the Internet. By default it doesnt leave things accessible remotely.
One more last thing - banks DO NOT send you an email telling you that they will suspend your account if you dont hurry up and click the link and type in your sensitive personal information. If you get one, its a scam. Period. And if by some insane chance a bank really does that, you still don't want to follow those instructions. You want to drive to the bank and close all your accounts there and bank somewhere else.
there is no reason to lose photoshop, especially on ubuntu. It's really quite easy to bring it over and use it. I use it on my Kubuntu laptop and it's great. Just install wine, and follow these instructions...
...I used to run CrossOver office to run photoshop on linux, but Wine's plenty up to snuff on its own now. The only bug that I get is the layers palette: if the icons aren't on the bottom of the palette DO NOT resize the palette or you'll crash wine, freeze the system and you'll lose what you were working on. Instead, double click the layers tab to collapse the palette, and then do it again to expand. With this, the icons will be on the bottom again, and you'll be good to go, resizing the palette and everything.
:)
http://luiscosio.com/how-to-adobe-photoshop-cs2-on-ubuntu-10-steps
Outside of the palettes hovering over everything regardless of the desktop you're on (just hit the tab key to hide the palette before you run away), Photoshop is as good as native application. I haven't had to get CrossOver office on any of my latest installs
...clueless lusers are the biggest problem and that they are as clueless on Windows at they would be on Linux.
The favourite Microsoft Fanboy Argument about the easiness of Windows is a dead heering, just because someone think they can use an OS does not mean that they can.
...and since Microsoft makes anybody admin per default (on Vista too ?) anything the user run can kill both the virusscanner, firewall and anything else (if not by simply shutting it down then by putting it in debug mode).
--
Yes, I'm propably starting another flamewar... but my args. are valid.
I don't know, I've never had a problem that wasn't solved with a simple application of Google. By the way, what would you suppose would be the most intuitive place to put appearance related options? Left clicking the desktop, picking the relevant option [don't recall what it is- only used KDE once or twice], and the option to have a mac-style menu bar up the top is on one of the first two tabs.
We at slashdot are scientists, specialists and kernel hackers. Your FUD will be found out.
How is different from AV products prompting to update, to Azureus prompting to update, to KNotifier (or whatever the KDE update checker is called) asking me to install updates in Linux?
I just tried out Azureus today for the first time and that's a feature I'll be turning off if I continue to use it. Maybe my KDE is out of date (I run Debian) but I've never had it do that and I can't think of any other Linux program that does either. Normally all of my updates are handled by a single update tool so keeping up with security updates is easy. In Windows it seems like every program feels like it just has to run continuously in the background and bug you regularly for some sort of maintenance or other. It's a cumulative effect, when people are constantly being bombarded with messages that, half the time they don't even understand, they just give up and start blindly clicking OK on everything they're presented with. That's a big part of why so many people fall for those fake windows error messages some web sites use to get them to install spyware etc. Clicking OK has just become a reflex action and they don't even think about it anymore.
Finally, for "Run As" and people running as administrators, if software is written to be run only by administrators, then it's the software maker's fault not the OS, it's shitty software.
I don't know who's fault it is I just know that if you give Joe user a computer with a non-admin account they are guaranteed to find some random program that won't easily run as a regular user. Usually there is a workaround or alternative program they can use but then later they come up with another..... In practice that means that less technical users almost always give up and go back to running as admin.
Windows XP SP2 and beyond has a very nice security framework.
That may be, too bad that it's all turned off either explicitly by running as admin or implicitly by training users to reflexively click OK like a lab rat at feeding time.
What he heck? keyboard and chair? The chair's only connected to one thing, there's no feedback path that goes through it (unless you've got some kind of fancy haptic chair...)
Shouldn't it be "problem exists between keyboard and monitor?" or screen?
Can you be Even More Awesome?!
There's actually two versions:
ClamAV for Windows, a simple command-line utility
ClamWin, which I use. It has a GUI and scans on demand. It can also run scheduled scans/updates. While it is far less intrusive than most antivirus programs, it does put an icon in the system tray for doing the scheduled stuff, and there's no option not to run it at startup. It can be removed easily enough by removing the startup entry using autoruns or regedit, though.
Had a few problem on office machines that could not run our software,windows,AND AV all at the same time but nothing major.
Easily solved - just run only your software and AV...
- T
If the major anti-virus software vendors didn't make products that A.) tried to lock people into subscriptions they don't want, and B.) continuously annoyed the bejeezus out of them, maybe compliance would be much higher. Hardware vendors should really take the high road, and ship consumer machines with anti-virus protection that will be free forever. Free for the first year does NOT cut it. Moreover, I've more than once found myself screaming at the computer, because McAfee's godforsaken anti-virus software was causing me trouble, and it insisted on restarting itself every time I shut it down. My anti-virus software should shut up and GET OUT OF MY WAY, unless I have a virus on my computer. I don't WANT it popping up little windows to let me know about all the creative ways its finding to slow my machine down. I don't want to be dumped to the desktop while playing my favorite videogame, because I accidentally clicked on some stupid notification bubble McAfee shoved in the corner of my screen, to let me know it patched 3K of data. LEAVE ME ALONE.
It seriously gets so bad that I look forward to my free subscriptions expiring, so I can justify uninstalling that junk, and installing ClamWin, instead.
As for phishing... I wasn't even aware there WAS anti-phishing software. Honestly, I don't think software can protect you against human exploits. The best way to avoid phishing is to use that squooshy gray thing between your ears. I hear it works wonders.
How can I protect an XP box. Assuming that the built in security is inadequate or I am misusing the product. What free products are available defend my box. Assume I am the average user (I am not). I once tried to explain email to my grandmother (she only recently got a computer). Pretend like you are talking to someone who knows how to turn it on and not much else. Also maybe talk to more advance use.
thanks
f
Just because someone doesn't run antivirus software doesn't mean they have viruses, and just because someone doesn't run firewall software doesn't mean their machine is open to attack. I have NEVER used antivirus software. It clogs the system and slows it down. Then again, I'm not stupid enough to open random attachments in my email, and I don't use Internet Explorer. I also don't have any firewall software and Windows Firewall is disabled. Why? Because I'm behind a router. Of course some vendors of software are going to try and convince the ignorant that users without their software are a danger.
Good job Twitter, you are finally admitting that Linux can be 'owned'. Is this going to stop you from posting your "1 in 4 Windows machines are in a botnet" troll?
"It does not do to leave a live dragon out of your calculations, if you live near him." - Tolkien
The ones who said they were using an Anti-Spyware solution who actually weren't, may well have falled victim to the classic "You have a virus! Give us your money and we'll sort it out!" popup and ended up with more spyware. Ed
You feel sleepy. Close your eyes. The opinions stated above are yours. You cannot imagine why you ever felt otherwise.
Lazy kids using computers mommie and daddie got for them and mommie and daddie still having no clue about computers. They still don't teach these things very well in school and a great many grownups are still behind the learning curve when it comes to PC maintenance. Still, laziness is probably most of it. People just want to get on, get email, and get off (pun intended), without the hassled of waiting for downloads and rebooting the machine to install updates.
I don't understand. If I look at what's between the keyboard and the chair, it's part of the leg, my testicles, my stomach, ... I don't see how any of that could be a problem (well, at least not with computer security). If anything, I'd expect the problem to sit in the brain (not mine, of course :-)), but that's clearly not between keyboard and chair.
:-)
But then, maybe stupidity correlates with a strange habit of having your keyboard above your head.
i'm a sys admin for a small company, and yes, most of my problems are user ignorance induced. But i figure that laser engineers don't need to have my level of computer skill, because they have me. They don't ask me to build lasers, i don't groan when they ask me to install a printer. i try to teach my lusers as i fix what ever problem they've caused, and sometimes it helps. Some users just assume computers are beyond them (mostly the ladies and older folks).
The first company to implement the following will make a bajillion dollars: Make computers work like video game consoles. You want ot surf the web, insert "Web Surf Disc". Time to write a book report? Insert "Text Editor Disk". Programs could work off ROM chips. Then make it so there are as FEW options as possible. Make it so the user can have one program running at a time. ROM chips will facilitate this nicely. If you copy a bit of text, you can save it to the central OS, then switch to Text Editor (closing Web Surfer), and paste it. Tightly control who can make software and hardware. Less is more. Get the software right before you ship it. Computers are far too powerful for the average luser. My mom doesn't need to be able to set virtual memory. She just wants to type up letters and surf the net a bit. If computers were a simple as toasters and DVD players, we would have a fraction of the problems. Such a system should also cost less, and sell more units.
Utilizing the synergization of benchmark e-solutions to pre-workaround action items!
Anti-$SOMETHING software is the wrong approach to security, because it is only a reaction to threats that have existed before. Real security is designed to PREVENT security holes.
For example, a worms enters a computer system by exploiting a buffer overflow bug to modify a pointer, which changes the way the program works. Now look at an IBM AS/400, this machine has hardware-supported "pointer-in-memory-protection" (aka tags-active mode), so if a pointer gets overwritten with data, it can not be used anymore; this prevents a worm from entering the computer system, and so you do not need any kind of anti-worm software.
Hardware architecture should have security built-in (such as pointer-protection)
Software should be written correctly; there should be high-quality programming libraries for such simple things like string manipulation (and 99% of all buffer overflows are gone)
Operating systems should have fine-grained privileges and fine-grained access control -- or even capability-based architecture
Operating systems and even some user software should have a Trusted Path for invoking critical functions - especially webbrowsers are missing a feature like this, although it could prevent most spoofing/phishing methods, etc.
The system should always make clear to the user what he/she is interacting with (part of trusted computing base, application program, content of application program such as a java applet in a browser window etc.)
If computers were designed this way, all Anti-$SOMETHING software would be unneeded...
"only 55 percent of the machines of those users scanned showed evidence of the software."
Which means that those are the ones with insecure settings. A good security setup wouldn't reveal anything with regards to security settings.
PEBKAC = Problem Exists Between Keyboard And Chair
PBKAC = Problem Between Keyboard And Chair
The discussion on this topic seems to confuse several issues. There is the issue of high assurance software which as the document [1] indicates can be done on free software (but generally isn't).
Then there is the issue of proving that a system has not been compromised before or after installation (how paranoid are you regarding where the source came from?). It's a pity that so many developers don't sign their source releases (that includes me, I'll have to do better for future releases).
There is the issue of whether users are at fault (the actual topic for the discussion) and the related issue of whether typical Windows users are given such a selection of bad options that it's not their fault for getting it wrong.
All of these are worthy issues, but it seems to me that trying to discuss them all on the one thread gives more heat than light.
[1] http://www.dwheeler.com/essays/high-assurance-floss.html
See http://etbe.coker.com.au/ for my blog.
You just proved God exists. What?! You can't prove She doesn't exist!
well, I mostly don't. If I suspect something is wrong with a system I use pandasoftware.com and run their free online activescan.
To protect myself I simply do not run day to day things as an administrative account. When I set up a machine I always create 2 accounts Admin and UserAccount. By default these are both Admin accounts. So I go ahead and install all of my software on the UserAccount and when I am satisfied that the system is up to date and has all the programs I need I log in and downgrade the account to Limited.
If in the future I need admin access I login that way. This stops most of the "stealth" software.
http://p8ste.com - Web based Clipboard
you have to be one of the most boring and pathetic shills on slashdot. thanks for playing.
but for most us, it's not. Programmers don't get the time required to make the program completely bug free/security tight. Managers only allow enough time for the project to come in under budget (or as low as possible). Customers only allow the managers a certain budget as the software is only useful to them if it comes at the right price. So... who's truly to blame? Seems like there's plenty to go around.
<opinion>The reason that Linux is less bug prone compared to M$? There's fewer budget constraints.</opinion>
Hmmmm. Agree, (except I use NOD, which has a better detection & protection record than Avast, although it is a good free option), but I'd mention the essential ad-ins to Firefox, (which, as documented here, is not invulnerable). Noscript, Phishtank...
Also, if you're a laptop user, the firewall which is probably integrated in your home or office internet connection will not protect you when connecting to hotspots. Disable the poor windows xp integrated one, for sure. But then install one of the plenty of free options for XP, (zone alarm...). You'll be surprised how often things try and 'dial out'...and how often you are 'attacked' (look at the logs).
Finally, no need to use IE to get updates for XP - you can use the option 'download updates automatically, but let me decide when to apply them' in the security centre.
I can hardly wait for the spin on this one.
Web2.0: I love when people Flickr my cuil and digg my boingboing until my google is reddit and I start to yahoo