PEBKAC Still Plagues PC Security

Billosaur writes "ARS Technica is reporting on a study release by McAfee and the National Cyber Security Alliance (as part of the beginning of National Cyber Security Awareness Month) that suggests when it comes to PC security, the problem between the keyboard and the chair is even worse. PEBKAC has always been a problem, but the study highlights just how prevalent it has become. 87 percent of the users contacted said they used anti-virus software, while 70 percent use anti-spyware software. Fewer (64 percent) reported having their firewalls turned on, and only 27 percent use software designed to stop phishing attempts. Researchers were allowed to scan the computers of a subset of the users, and while 70 percent claimed to be using anti-spyware software, only 55 percent of the machines of those users scanned showed evidence of the software."

And the solution is...

[It+doesn't+come+easy]

I use Avast free home edition anti-virus program and that's it. No firewall (and I turn off the "firewall" that comes with XP) and no anti-spyware programs. And in more than 3 years I have had zero malware of any sort on my computers running XP.

The secret of my success is that I also don't use Internet Explorer (except for the Windows Update website, cause Microsoft makes me). That one step protects me from >95% of the malware. The other 5% is handled by Avast and Firefox. And I don't download and install "free" programs and games.

Boycott Internet Explorer (and all of the loss of security, privacy, and control of your own computer that goes with it), use Firefox and a good anti-virus program, and don't do stupid things on the net and you're golden.

Are you sure?

[winkydink]

...And in more than 3 years I have had zero malware of any sort on my computers running XP.

That you know of. A lot of zombie-related malware is intended to be very stealthy.

Re:Are you sure?

[Rycross]

Yeah, and there could be a huge Linux virus epidemic. Its just stealthy enough that its not being detected! Seriously, its become standard to retort to claims of malware free with Windows with "Nuh uh! You probably just don't know you have it!" which is stupid if only for the reason that such a claim isn't reasonably falsifiable. I know that a lot of malware is designed to be stealthy, but a lot of computer professionals know how to root this stuff out, and theres no reason to think that the grandparent is not capable of detecting it.

I've never been infected by malware. And I have confirmed this every time I've been challenged on that point. Doesn't stop people comming out and saying that I really am infected, I just can't detect it.

Re:Are you sure?

[Rycross]

You need to work on your reading comprehension. I wasn't claiming that Linux was vulnerable. I'm saying its assanine to respond to someone claiming to be malware free by saying "No, you just don't realize you're infected."

I mean, go on, prove to me right now, without a doubt, that your Linux box is not infected by some rare virus that people haven't seen and don't know how to detect. And just to head you off, claiming "Linux doesn't have viruses" isn't a valid response. After all, maybe you're one of the lucky first people to be infected, and you just don't know it yet! See how convenient this is? You can't prove that you DON'T have a virus short of taking a dump of the bits on the physical platter and doing a diff.

Theres ways to be reasonably sure (as in, 99.999999%). There's no reason to believe that the poster that started the thread was not able to be reasonably sure.

But since you brought this up, tell me how you're going to prevent "Dear stupid user, please install this trojan as root to get your free cursors!" without taking control of the user's own computer away from him or her. You do realize thats how a lot of Windows malware is getting out there right now, don't you?

Oh and just so you know, there are trojans out there for Linux. One of the systems at my old job was cracked. Luckily the admin noticed that someone was trying to get a rootkit on his system. These cracks often involve software installed on the Linux system with incorrect security settings, as I believe was the case here. But thats the point: the security of the system ultimately falls upon the user not doing stupid things, which is impossible to guarantee without taking control of the computer away from said user.

Re:Are you sure?

[suv4x4]

Seriously, its become standard to retort to claims of malware free with Windows with "Nuh uh! You probably just don't know you have it!" which is stupid if only for the reason that such a claim isn't reasonably falsifiable.

It may be stupid but it's not wrong. I'm a developer and the kind of guy who sets his firewall as limited as possible, has anti-virus on, doesn't download "Free Smileys!!!" software, and in fact I'm very careful about doing things on my computer that may affect my security.

I thought I was clean, I looked clean, and the PC worked like clean. Until one day I the anti-virus detected a popular keylogger installed on my system (4 years ago). That was on top of that during a full-drive scan, not resident alert, who knows for how long was this thing running, and where it came from.

Bottom line is, the infection status isn't something easy to assess, especially if you're not very experienced in the area and especially if you consider that you're virus free by default.

The only way to not push your luck is know what you're doing, and turning your firewall off deliberately is equivalent to not knowing what you're doing.

If you ask me now, since I wiped my disk twice, and changed all my passwords and reinstalled everything since, am I virus free? I'll tell you yes.. but I'll NEVER be 100% sure in my answer, since I could easily be wrong.

It's not different on a Linux server by the way, so this is not a Windows vs Linux argument AT ALL.

Re:Are you sure?

[Rycross]

It can, but if that attendee actually bothered to look for malware, do you think he would have been unable to find it?

The point is that theres no reasonable response to "You may have malware, but you just can't detect it." I mean, if we posit the existence of undetectable malware, or at least malware undetectable by the poster, then what you have asserted is nearly impossible to disprove. Its simply lazy to respond to "I don't have any malware," with "You do, you just don't know it." Its like saying "Nuh uh! I WIN!"

If the above poster has actively looked for malware and has not found any, then its reasonable to assume he is not infected, unless you can prove otherwise.

Re:Are you sure?

[king-manic]

Yeah, and there could be a huge Linux virus epidemic. Its just stealthy enough that its not being detected!

Yes it's called vi. *dons asbestos vest*

Can I get a "Well DUH!"

[Chas]

Nothing is ever, EVER going to be idiot-proof.

Because idiots are both highly prolific and highly creative.

Unless the world standardizes on a single platform, and never, EVER changes it again, this is always going to happen.

It's a matter of "that's not how I learned it" or "I never learned it", and they wind up making the systems do things they aren't supposed to.

It does, however, go to show you that even hordes of security professionals can't be collectively omniscient.

As always, "security" is a PROCESS, not an endpoint, not a product.

PEBKAC Combined with a Nightmare of an OS, Sheeple

[Zombie+Ryushu]

If you combine PEBKAC with the nightmare OS that is Windows, you see the dark and terrible Hell that has been created. Granted, it is true that alot of people who use computers don't deserve them, but everyone feels they are entitled to them. Really, the majority of people haven't earned the right to use computers, because they have no discipline to do so. But they will anyway, because there is money to be made. Its like giving Guns to chimps.

I started on Tandy 1000 286s, and Commodore 64s, so I have that discipline, that experience, I learned how to walk before I ran, and ran before I flew. But that just isn't the way our world works.

Do realize that the actions these insecure people with irresponsible habits take affect the lives of millions of people through scams, and DoS attacks.

the blame game: pass the buck as always...

[jdogalt]

So let's see, it's not software that is broken and buggy, but rather the problem is the users that 'inadequately' act as an insanely complex added layer of security, managing a bunch of brain-numbingly-unrewarding security layers.

This article reeks to me of a security industry that is proactively trying to cover its ass, primarily because of the fact that the only reason they thrive is because microsoft 'needs' to keep it's source closed, and the public 'needs' an illusion of security.

Sorry, but I've recently gone through about my 5th runaround of giving selinux-Enforcing an honest try, and realizing yet again what an utter pile of useless shit it is (for the vast majority of Fedora users at least). (review my past comments which I won't argue over again... or just laugh as setroubleshootd tells you how the solution to your problem is to reboot and force a relabel... pulling in hardcoded path state from /etc/selinux/....)

Wake up and smell the insecurity folks and get used to it. Don't say anything within earshot of a mobile phone's mic that you wouldn't feel comfortable with any telecom employee overhearing... or anyone those employees might give network access to...

It's a brave new world. Don't give me this shit that the users are to blame.

My Theory: XP can work, but not with kids

[spagetti_code]

Similar here, but I've run XP, *no* AV, *no* anti-spyware etc for 4 years. I do have a firewall/wireless hub for the house. I browse with Firefox only, and thats kept up to date and has Adblock and NoScript. My mail is scanned (although quite a few nasties sneak through).

My wife is computer illiterate, but she knows she's only supposed to open a small set of attachments and sees me about the rest. She knows not to open anything she doesn't recognize.

4 years, no viruses/spyware etc. I've tried a couple of those online scans and they came up clean.

However, now the kids are starting to use the PC.... I've switched to Ubuntu. I not convinced I can set up an XP machine that can't be infected by them.

That switch was a *major* pain. Switching MSmoney to gnucash, losing Photoshop, copying outlook mail history to evolution, loss of PDA syncing, blah blah blah.

Re:My Theory: XP can work, but not with kids

[suv4x4]

Sure you can, if you combine your malware with an elevation of privileges exploit.

Since 99% of Windows XP-s out there run in admin mode all the time, I'm pretty sure none of them is particularly well doing in the privileges exploit area.

Also this is the user level. Getting privileges higher than the current user isn't so trivial to exploit, since typically the entire browser will run at that level, including any add-ons and plugins. You do need to exploit an app running under admin, and if there's no such, you can't exploit anything.

This Slashvertisement rates a 4.2 out of 5

[xxxJonBoyxxx]

...a study released by McAfee...87 percent of the users contacted said they used anti-virus software, while 70 percent use anti-spyware software. Fewer (64 percent) reported having their firewalls turned on, and only 27 percent use software designed to stop phishing attempts.

This Slashvertisement rates a 4.2 out of 5.

It caused many readers to wonder, "if McAfee has an all-in-one package that can handle all my anti-spyware, firewall, anti-virus and phishing needs?". However, McAfee was unable to get the actual product it was trying to pitch in its press release on Slashdot.

Well done (though not perfect) - another high-five to my those PR pros!

PICNIC

[Saint+Stephen]

Problem in Chair, Not In Computer. PICNIC.

That's the phrase I heard used to describe this condition.

it is not a user fault

[siddesu]

as computers have become more powerful and versatile and the software more complex, the average user has a choice -- either become a nerd who follows all news, and spends large portion of their time learning about new technologies, how they are integrated, what risks are there, etc.; or ignore the problems, _trust the vendors_ to mostly do the right thing, learn the part of the interface they care about and react if they get hit. it is just not realistic to expect a user to know a lot about computers, as it is unrealistic to expect that a sick person can successfully self-medicate themselves to health.

so, while the problem is between the chair and the keyboard, it is between the chair and the keyboard of the people who create the software, and not the people who use it. mostly.

Re:it is not a user fault

[big_paul76]

Here here.

In WWII, they had frequent aircraft crashes caused by pilots landing with the gear up.

They consistently attributed these accidents to "pilot error".

Then somebody took a look at the design of the cockpit, and realized that it wasn't designed in a way that would make it immediately obvious to a pilot whether or not the gear was up or down. When the cockpit was re-designed, the high rate of 'gear up' landings evaporated.

In other words, the designers were blaming the users for a design flaw. Happens all the time in the software industry these days.

I'm not saying that PEBKAC errors don't happen, or that idiots don't do stupid things. But I suspect that a large slice of the cases we classify as "user error" should really be called design error.

They've identified the wrong problem

[Arrogant-Bastard]

The problem is not that users fail to use anti-virus, anti-spyware,
anti-phishing, anti-left-handed-metric-wrench software.

The problem is that users CHOOSE to use operating system and
applications which are so miserably designed and written that they
are susceptible to these problems as-shipped by the vendor(s).
(I take the position that any OS which needs anti-virus software
to survive in the wild is clearly broken and should never by used. By anyone.)

Anti-* software is a band-aid. Its use is a clear indication that the
product it's trying to band-aid is broken. And anyone deliberately
using known-broken products should not be very surprised if Bad
Things happen as a result.

It continues to amaze me that anyone is surprised by this --
although I suppose by now I ought to have gotten accustomed to
this state of affairs. [Some] people install obviously defective
operating systems (e.g., any version of Windows), use obviously
defective mail clients (e.g., Outlook), use obviously defective
web browsers (e.g., IE) and then actually expect that they can
somehow make up for this series of stunningly poor decisions
by installing enough add-ons. It doesn't work, of course, which is
why we see hundreds of millions of infected systems out there,
spewing spam, conducting DoS attacks, poking at web servers,
brute-forcing ssh servers, and so on.

My point being that by the time the conversation has gotten to
anti-* software -- it's too late. The damage has been done, and
there's no undoing it (despite lots of wishful thinking and the
earnest assurances of anti-* vendors, who of course, let's not
forget, have a substantial profit motive).

(Ah. About this point, some M$ apologist will raise one of the
usual canards -- for example, "M$ products are attacked because
they're popular". Not true, of course; M$ products are attacked
because they're miserably weak as a result of incompetent design
and even worse implementation. M$ is hardly alone in this, it's
that for some inexplicable reason, it seems to attract the most
defenders -- despite the fact that as possibly the most well-funded,
well-staffed, well-equipped software company in the world...it
has repeatedly proven that it can't even write a decent mail client.)

So. These studies shouldn't ask questions like "Are you using
anti-spyware?" They should ask questions like "Why are you dumb
enough to use an OS/application software combination so badly
written and maintained that anti-spyware is deemed necessary?"