Slashdot Mirror
PEBKAC Still Plagues PC Security
Billosaur writes "ARS Technica is reporting on a study release by McAfee and the National Cyber Security Alliance (as part of the beginning of National Cyber Security Awareness Month) that suggests when it comes to PC security, the problem between the keyboard and the chair is even worse. PEBKAC has always been a problem, but the study highlights just how prevalent it has become. 87 percent of the users contacted said they used anti-virus software, while 70 percent use anti-spyware software. Fewer (64 percent) reported having their firewalls turned on, and only 27 percent use software designed to stop phishing attempts. Researchers were allowed to scan the computers of a subset of the users, and while 70 percent claimed to be using anti-spyware software, only 55 percent of the machines of those users scanned showed evidence of the software."
I use Avast free home edition anti-virus program and that's it. No firewall (and I turn off the "firewall" that comes with XP) and no anti-spyware programs. And in more than 3 years I have had zero malware of any sort on my computers running XP.
The secret of my success is that I also don't use Internet Explorer (except for the Windows Update website, cause Microsoft makes me). That one step protects me from >95% of the malware. The other 5% is handled by Avast and Firefox. And I don't download and install "free" programs and games.
Boycott Internet Explorer (and all of the loss of security, privacy, and control of your own computer that goes with it), use Firefox and a good anti-virus program, and don't do stupid things on the net and you're golden.
The NSA: The only part of the US government that actually listens.
...And in more than 3 years I have had zero malware of any sort on my computers running XP.
That you know of. A lot of zombie-related malware is intended to be very stealthy.
"I'd rather be a lightning rod than a seismometer." -Ken Kesey
Nothing is ever, EVER going to be idiot-proof.
Because idiots are both highly prolific and highly creative.
Unless the world standardizes on a single platform, and never, EVER changes it again, this is always going to happen.
It's a matter of "that's not how I learned it" or "I never learned it", and they wind up making the systems do things they aren't supposed to.
It does, however, go to show you that even hordes of security professionals can't be collectively omniscient.
As always, "security" is a PROCESS, not an endpoint, not a product.
Chas - The one, the only.
THANK GOD!!!
If you combine PEBKAC with the nightmare OS that is Windows, you see the dark and terrible Hell that has been created. Granted, it is true that alot of people who use computers don't deserve them, but everyone feels they are entitled to them. Really, the majority of people haven't earned the right to use computers, because they have no discipline to do so. But they will anyway, because there is money to be made. Its like giving Guns to chimps.
I started on Tandy 1000 286s, and Commodore 64s, so I have that discipline, that experience, I learned how to walk before I ran, and ran before I flew. But that just isn't the way our world works.
Do realize that the actions these insecure people with irresponsible habits take affect the lives of millions of people through scams, and DoS attacks.
So let's see, it's not software that is broken and buggy, but rather the problem is the users that 'inadequately' act as an insanely complex added layer of security, managing a bunch of brain-numbingly-unrewarding security layers.
/etc/selinux/....)
This article reeks to me of a security industry that is proactively trying to cover its ass, primarily because of the fact that the only reason they thrive is because microsoft 'needs' to keep it's source closed, and the public 'needs' an illusion of security.
Sorry, but I've recently gone through about my 5th runaround of giving selinux-Enforcing an honest try, and realizing yet again what an utter pile of useless shit it is (for the vast majority of Fedora users at least). (review my past comments which I won't argue over again... or just laugh as setroubleshootd tells you how the solution to your problem is to reboot and force a relabel... pulling in hardcoded path state from
Wake up and smell the insecurity folks and get used to it. Don't say anything within earshot of a mobile phone's mic that you wouldn't feel comfortable with any telecom employee overhearing... or anyone those employees might give network access to...
It's a brave new world. Don't give me this shit that the users are to blame.
Similar here, but I've run XP, *no* AV, *no* anti-spyware etc for 4 years. I do have a firewall/wireless hub for the house. I browse with Firefox only, and thats kept up to date and has Adblock and NoScript. My mail is scanned (although quite a few nasties sneak through).
My wife is computer illiterate, but she knows she's only supposed to open a small set of attachments and sees me about the rest. She knows not to open anything she doesn't recognize.
4 years, no viruses/spyware etc. I've tried a couple of those online scans and they came up clean.
However, now the kids are starting to use the PC.... I've switched to Ubuntu. I not convinced I can set up an XP machine that can't be infected by them.
That switch was a *major* pain. Switching MSmoney to gnucash, losing Photoshop, copying outlook mail history to evolution, loss of PDA syncing, blah blah blah.
This Slashvertisement rates a 4.2 out of 5.
It caused many readers to wonder, "if McAfee has an all-in-one package that can handle all my anti-spyware, firewall, anti-virus and phishing needs?". However, McAfee was unable to get the actual product it was trying to pitch in its press release on Slashdot.
Well done (though not perfect) - another high-five to my those PR pros!
Problem in Chair, Not In Computer. PICNIC.
That's the phrase I heard used to describe this condition.
as computers have become more powerful and versatile and the software more complex, the average user has a choice -- either become a nerd who follows all news, and spends large portion of their time learning about new technologies, how they are integrated, what risks are there, etc.; or ignore the problems, _trust the vendors_ to mostly do the right thing, learn the part of the interface they care about and react if they get hit. it is just not realistic to expect a user to know a lot about computers, as it is unrealistic to expect that a sick person can successfully self-medicate themselves to health.
so, while the problem is between the chair and the keyboard, it is between the chair and the keyboard of the people who create the software, and not the people who use it. mostly.
Can't wait for the "disciplined computer user" licenses, we can lock all those computer illiterate retards out!
The problem is that if the user can kill it, so can the virus. A lot of viruses have anti-anti-virus routines built in them to detect and disable anti-virus software from detecting and disabling THEM. It's a warzone out there.
Because of this, anti-virus software embeds itself very deeply in the system and runs with ring 0 privs to prevent virii from subverting them.
The
Just because the users are stupid and run Windows as administrator, doesn't mean the OS itself is insecure.
PS: I am posting this from my Kubuntu Feisty machine.
There's a number of separate issues here:
1) IMHO, it's impossible to protect users from messing with their own data, IF you want to make systems useful. A good option could be a versioned filesystem on a remote server (outside direct control of the user), where old versions of his/her files could always be retrieved. Without that, a user that says: "delete file XYZ on my local drive" will just do so, regardless of whether that was the intended or sensible thing to do.
2) It's next to impossible to make the complex software systems of today 100% bug-free. So you always have the chance that some program fucks up (remotely triggered, on purpose or otherwise), and screws up user data. A sensible (automated?) backup strategy should protect you from this one though.
3) And then there's the OS kernel, core libraries, hardware drivers, bootup files etc. This should be the easiest part IMO. It should be possible to have systems where users can fuck up their own data, and sometimes get hit by crappy/malicious programs, but where the base of the system remains functional and reliable, regardless what happens to everything running on top of it. When I consider it's about 25 years ago I first got familiar with the concept of a personal computer, I am really *AMAZED* the IT industry hasn't even reached this point. Is it really *THAT* hard to design software systems where users can add & remove 3rd party packages or update non-essential components, without endangering the core functionality of the system? That's not a user friendliness vs. security, but an overall system design issue.
Health class is a bit like having a class for condom enthusiasts who sit around talking about how the average user doesn't wear a condom. And then having a good old laugh at them while at the same time being a smug prick.
These people may have more sexually transmitted diseases, but i bet they get laid more often.
One day, we'll look back at PC security of today and laugh at the crap one had to go through just to not have your typical PC go down in flames. .iso tonight.
...Could be tomorrow if you downloaded an
Money is the root of all evil?
The problem is not that users fail to use anti-virus, anti-spyware,
anti-phishing, anti-left-handed-metric-wrench software.
The problem is that users CHOOSE to use operating system and
applications which are so miserably designed and written that they
are susceptible to these problems as-shipped by the vendor(s).
(I take the position that any OS which needs anti-virus software
to survive in the wild is clearly broken and should never by used. By anyone.)
Anti-* software is a band-aid. Its use is a clear indication that the
product it's trying to band-aid is broken. And anyone deliberately
using known-broken products should not be very surprised if Bad
Things happen as a result.
It continues to amaze me that anyone is surprised by this --
although I suppose by now I ought to have gotten accustomed to
this state of affairs. [Some] people install obviously defective
operating systems (e.g., any version of Windows), use obviously
defective mail clients (e.g., Outlook), use obviously defective
web browsers (e.g., IE) and then actually expect that they can
somehow make up for this series of stunningly poor decisions
by installing enough add-ons. It doesn't work, of course, which is
why we see hundreds of millions of infected systems out there,
spewing spam, conducting DoS attacks, poking at web servers,
brute-forcing ssh servers, and so on.
My point being that by the time the conversation has gotten to
anti-* software -- it's too late. The damage has been done, and
there's no undoing it (despite lots of wishful thinking and the
earnest assurances of anti-* vendors, who of course, let's not
forget, have a substantial profit motive).
(Ah. About this point, some M$ apologist will raise one of the
usual canards -- for example, "M$ products are attacked because
they're popular". Not true, of course; M$ products are attacked
because they're miserably weak as a result of incompetent design
and even worse implementation. M$ is hardly alone in this, it's
that for some inexplicable reason, it seems to attract the most
defenders -- despite the fact that as possibly the most well-funded,
well-staffed, well-equipped software company in the world...it
has repeatedly proven that it can't even write a decent mail client.)
So. These studies shouldn't ask questions like "Are you using
anti-spyware?" They should ask questions like "Why are you dumb
enough to use an OS/application software combination so badly
written and maintained that anti-spyware is deemed necessary?"
To all of those who are crowing that they haven't run virus protection or spyware scanners in xx years. Why are you proud of this fact.
Because I've been a network administrator herding a 100-400 programmers plus their administrators and secretaries and sales guys and so on, for 20 years. And I do protect myself.
* Don't use Windows at all unless you have to.
* If you have to, don't use any application that uses the HTML control on untrusted content.
* If you have to, don't run any services on it you don't need.
THAT is "protection".
If you don't do that, you're having unprotected sex with the Internet.
Using Antivirus software is like taking prophylactic antibiotics and interferon and RU486 every morning. And like taking drugs you don't need, antivirus software can cause problems just by running it. It can crash your programs, lose your data, and false positives can cause you to waste time.
When someone new to our network was having problems, first thing I typically did was turn off ZoneAlarm on their computer. That gave me an opportunity to make sure they had a recent non-IE browser and a non-Outlook mail program, and let them know of our corporate policy on IE and Outlook (which was 'you don't use these programs on our network').
We had no virus outbreaks until we were forced by the parent company to standardize on Macafee antivirus and IE, turn on the Microsoft remote administration tools, and so on... and when the company got hit by the next worm we got it too. First time that had happened since we started seeing the virus storms come through five years earlier.
Do you drive your car without insurance? Do you drive without buckling your seatbelt and leave all of the windows down so that you will be "thrown clear" in the accident?
Nope, and I don't drive my computer without a real OS, and I don't use Windows without disabling as much IE as I can, and I don't run antivirus software so that when I'm infected it'll tell me it's deleting critical system files because they can't be repaired.
Sticking your head in the Windows may make you feel good, but don't kid yourself that it's safe.
That is stupid. Users have a right to own their own software and hardware. Users, customers, and people do not buy a license to use software. Nor do they, for the most part, lease hardware. They buy it, and they own it, and it is theirs. What you are suggesting, is selling criplled machines under the guise of security.
/. alone for examples. To say that even with the information an attacker could not break your Hard Core security model is niave at best. All code has bugs. All security models have holes.
/.
Aside from being moraly retarded, it still ignores the issue of human nature. All it would take is one person that has some of these "root passwords" to sell them, or leak them, and users machines could be compromised and they would not even be able to detect it. It will happen, sooner or later. You cannot say that the info won't be leaked, Social Engeneering, lapse of judgement, or outright theft could all cause the leak. Look at the recent history of leaks on
As I have stated above, your idea does not solve the problem, and is an insult to users of whatever product you make with this idea in mind. Further, for it to be effective you must get people to use it. How would you do that? Even good Software is not enough to compel users to switch if what they are using does the job at least medocore. Look at the number of people using Windows, and Office. This is evidence enough that people won't change. Would you have governments regulate that this security must be used? Certianly this scheme must be a DRM like scheme if it restricts the rights and privleges of users on their own machines. Would your "qualified professionals" support this? Let's just ask some of them here on
Your poorly laid out suggestion also ignores another key question: Who would determine which ones of us are "qualified professionals"?
If users don't control their own machines, Someone must. They will need this "root password" to to software upgrades, install trusted and usefull software (we can't let users do this or the point is moot), do system upgrades. If every nimbwit @ best buy's geek squad can get this access then systems will still be infected, because some of these people are dumber than most users we are trying to protect. They would, at the very least, use their access to unlock their home machines. Then they are victim to all the same tricks and exploits they are now. If you restrict it too much then people won't want to use your platform, and will either use something else or get very upset until things are changed. Of course then we need to decide who picks the "qualified professionals". I don't want you picking them, and I bet you don't want me to. Neither of us wants lawmakers to pick them. Microsoft wants Microsoft to pick them; others disagree sharply. This is another non-trivial issue your moronic idea fails to acount for.
In short:
Piss Off!
Um, no. You ran as fast as you could on those Tandys and Commodores, which inspired you to run on to the next thing when it came out. Get off your high horse and quit whining about all the "stupid lusers". I think people like you are the only ones feeling "entitled" to anything.
Just because the general population didn't feel like screwing around with four color graphics and swapping floppies doesn't mean they are somehow inferior to those of us who did. They see computers as usable now and are overwhelmed by the IT world we created. Show them how to do it and explain why best practices are best. Make them learn every step of the way and stop rolling your eyes, booming "Moooove!".
Basically, the first commandment of dealing with others is:
Thou shalt not be such a Douche.
Shift happens. Fire it up.
Several of the top viruses of 2006 were over 2 years old (according to a report by Sophos). Obviously there was anti-virus protection available for those threats but many, many people aren't protecting their computers. It's no wonder why creating huge botnets continues to be so viable.
Ah yes, and companies that make arc-welders should take into account so the average moron can weld. Oh, and rocketships should be more simpler. And backhoes.
A computer is neither a toy now an appliance. It is a tool. It is a very powerful and complex tool. Expecting a "computer company" (Im not sure if you are referring to PC OEM's like Dell and HP, or Microsoft) to be able to successfully design a system to be both meaningfully usable by an idiot to accomplish anything useful while still remaining secure is unrealistic.
Everyone thinks Microsoft did such greate things for IT and computers, when in fact all it did was pretend that it could eliminate the intelligence requirement for using a complex tool. Unfortunately the average moron is now firmly convinced this is true.
...clueless lusers are the biggest problem and that they are as clueless on Windows at they would be on Linux.
The favourite Microsoft Fanboy Argument about the easiness of Windows is a dead heering, just because someone think they can use an OS does not mean that they can.
...and since Microsoft makes anybody admin per default (on Vista too ?) anything the user run can kill both the virusscanner, firewall and anything else (if not by simply shutting it down then by putting it in debug mode).
--
Yes, I'm propably starting another flamewar... but my args. are valid.
DUH!!! lol.... you must be new here....
Roses are red, violets are blue, most poems rhyme, but this one doesn't...