Slashdot Mirror
Auto-Detecting Malware? It's Possible
itwbennett writes "If antivirus protectors could collect data from machines and users, including geographic location, social networking information, type of operating system, installed programs and configurations, 'it would enable them to quickly identify new malware strains without even looking at the code,' says Dr. Markus Jakobsson. In a recent article, he outlines some examples of how this could work. The bottom line is this: 'Let's ignore what the malware does on a machine, and instead look at how it moves between machines. That is much easier to assess. And the moment malware gives up what allows us to detect it, it also stops being a threat.'"
If antivirus protectors could collect data from machines and users
This idea stopped being a good one here.
Malware generally moves the same way any other software moves. The user downloads and installs it.
Give me Classic Slashdot or give me death!
"If antivirus protectors could collect data from machines and users, including geographic location, social networking information, type of operating system, installed programs and configurations"
Malware writers and credit card phishers would have an immensely easier time.
It is quite mindboggling how bad this idea is. Cookies are not bad enough for you, eh?
" And the moment malware gives up what allows us to detect it, it also stops being a threat."
Sounds like we will get a computer filled with malware that is configured to wait until exact date/second and kill everything.
This idea is impractical in so many ways. Leaving aside the privacy issues raised by the prerequisite of collecting the kinds of information the author mentions, he makes far too many assumptions (and of course, does not back them up with any hard facts).
Even if his assumptions are partially correct, he fails to factor in how real security software interacts with real users. Modern viruses are very fluid things, and thus modern virus detection is non-deterministic (and so is this author's system as far as I can tell). So in order to catch all viruses a certain level of false positives will inevitably arise. And it doesn't take many false positives before the user starts to ignore the warnings.
...when all it can detect is itself?
It's like saying, if everyone knew what everyone was doing and thinking at any given moment we'd never have any type of crime. However, who wants to be monitored 24/7 and in their head? Likewise, who wants all of their computers information, sensitive or not, to be handed over to McAffee or Symantech or whoever. Not me.
Ave Molech Setting
The best way to stop malware is to audit code so that it doesn't have vulnerabilities. The OpenBSD volunteers have been doing that for many years.
In my opinion, and the opinion of many others, the vulnerability of Microsoft products to malware is a result of Microsoft managers not allowing Microsoft programmers to finish their jobs.
When people have problems with their computer, they often buy a new computer. Then Microsoft sells another copy of Windows, which, of course, still has huge security risks. For examples, see the New York Times article Corrupted PC's Find New Home in the Dumpster. Vulnerability to malware is very profitable for Microsoft and its main customers, who are computer manufacturers.
Solving the problems with malware will not be fully successful if Microsoft managers do not want it to be successful. Vulnerabilities are profitable when a company has a virtual monopoly.
People write malware because it is profitable to so. Regardless of how a machine has been owned, it typically boils down to one of two uses, a botnet or hijacking financial data. The easiest way to do this is get people to submit their own credit card details voluntarily through a webform. While the hosted pages are typically fake, the billing is almost always real, and this should be the target.
Enable companies to watch and report on the merchants accounts where malware authors get there money from. Somehow get the big credit card companies to become proactive about shutting them down without a several month investigation. I've done credit fraud in a former career, it's remarkably easy to detect and find. All of this could be fairly easily detected by the credit card companies if they could be bothered.
The biggest problem is that they can't be bothered as the fraud is profitable for them. Even in the event of a chargeback they can still make money and the administrative costs they occur are nothing compared to the profit they receive. Cut off the source of funding for malware authors quickly instead of slowly and the profit motive for writing malware will take a hit.
'Cause that would really solve everything. If everyone switches to linux, the malware writers will just give up and not exploit security holes in linux, right?
(Or is linux just not popular enough among the computer-illiterate to be a good target for attacks?)
How about building a tool in windows that ensures all windows system files are Genuine and then shows what extra crap and drivers startup and lets you choose to either disable or enable them. How about a Registry locker that you lock down your registry while running said tool so you can see if the Malware is trying to re-install itself back onto your computer?
Tsukasa: All I really want, is to be left alone...
You actually think that nobody would start making malware/adware for Linux? Not all adware/malware is installed without knowledge of the user... downloading a smiley pack that has malware in it seems to still be fairly common. I see no reason why someone wouldn't do the same for Linux. It would just have ".rpm" instead of ".exe"
Sure, it wouldn't probably be in one of the good repositories, but since when has availability-from-reputable-sources that stopped people from downloading/installing software?
I've used snort to do this passively in a couple of different shops. I don't know why client software is even necessary when I have traffic destinations in a pretty web gui via BASE.
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
Did anyone else read the headline and look for the picture to go with the lolcats caption?
"A person is smart. People are dumb, panicky dangerous animals and you know it." - K
Problem solved!!
Solved? Are you telling me that users can't install software in Linux?
'Cause that would really solve everything. If everyone switches to linux, the malware writers will just give up and not exploit security holes in linux, right?
Of course not. But Linux is written by users who don't want to be exploited (be they individuals or corporate users). The developers of Linux have a direct motivation to adapt Linux to deal with any new security threats. If trojans become a problem for Linux users, SELinux type solutions or default VM sandboxes or something else will become the norm and applications will be adapted to work well with it.
The core security problem with Windows isn't that it has large market share or inferior technologies. It is that it has so much market share and lock-in that the developers of Windows don't lose significant money even when malware is a large problem for many users. As a result the developer (MS) is not directly motivated to solve the problem. They benefit more financially by expanding into a new market leveraging their existing monopolies or even by introducing features that work to the detriment of their users (like DRM).
The interesting thing about Linux is that the license is designed to avoid any one player from being able to control it, so even if Linux had the same market share next year as Windows does today, developers would still be motivated to solve any new security problems.
I've noticed over the last few years a growing trend toward host-based detection systems, like the McAfee product line for example.The US government or at least the DoD is really jumping on this band wagon.
Any thoughts about this approach?
Hello,
," which cited data from one that began development in 2006. While I do not claim to understand the system, in a nutshell, it seems to work by generating a hash for files after they are downloaded or when they are to be executed, and sends this to Symantec along with some metadata, such as source IP/host, filename, path specification on the local host, date and time stamp on the file and other useful information, which is sent to Symantec, initially to provide a quick lookup, but more information can be sent if additional analysis is required. Symantec's client software can then display a message saying "Program XYZ.EXE has been seen n time(s) over the course of n day(s)/week(s)/month(s)." along with some suggestions about how safe it is likely to be based on new/unique program files more likely to be untrusted (higher potential for malcode) and older, commonly program files having a higher degree of trust.
What Dr. Jakobsson has described is a reputation system.
At Virus Bulletin 2009, Symantec gave a presentation on reputation systems: " Using the wisdom of crowds to address the malware long tail
One advantage of this approach is that it quickly allows malcious files encoded using server-side polymorphism to be quickly identified, as well as the sites hosting them. This negates the technique used by the bad guys to constantly modify code to in order to escape detection by anti-virus software.
Regards,
Aryeh Goretsky
Dexter is a good dog.
You know... the SANS Internet Storm Center was created in 2001 following the release of the Li0n worm. It exploited a BIND vulnerability on Linux systems and installed a rootkit on those boxes....
Hubris, it's not just for Mac owners.
I've lost all my marbles except one & It's fun to test angular & centripetal acceleration in my skull
Enable companies to watch and report on the merchants accounts
There are much simpler ways than "watching merchant accounts": banks and credit card companies simply need to use standard security procedures. For example, banks and credit card companies could have all large transactions confirmed by text message. Or they can use hardware tokens or smart cards.
The biggest problem is that they can't be bothered as the fraud is profitable for them.
Exactly. If banks and credit card companies wanted to eliminate most fraud, they could do so easily.
The way to fix this is to penalize banks for fraud, for the trouble they are causing to their customers.
And include whether the component can run as limited or root permissions.
I'll just point out here that Linux users generally do not run as Admin-God on their machines, so while they could still bork their own user account it becomes that much more difficult to compromise the entire machine.
Once I was a four stone apology. Now I am two separate gorillas.
...I hear a leading question like that, I automatically fill in, "There's an app for that," in my mind. Damn your marketing to Hell, Apple.
Random Thoughts From A Diseased Mind (Not For Dummies)
IF the programmers of Apple OSX, Linux, and BSD can make mostly malware-free software, Microsoft can also.
Those operating systems have fewer vulnerabilities because they were designed to be secure.
If everyone switches to linux, the malware writers will just give up and not exploit security holes in linux, right?
Actually-- yes, pretty much. A properly configured 'nix machine is much more difficult to exploit than a 'doze box. If everyone switched to Linux, you'd easily wipe out at least 80% of the malware writers, and probably closer to 98%.
Have you ever bothered to keep up on the security reports? Every month, Microsoft typically "patches" half a dozen "critical" (i.e., remote execution of arbitrary code) vulnerabilities, while the worst 'nix problem is typically something that can only be exploited while the attacker is standing on his head, drinking a glass of water, and whistling "Yankee Doodle".
In times of universal deceit, telling the truth gets you modded -1 Troll
They should collect their staffs user data, given the example of the NSF yesterday, and how big Symantec is, they should be able to cover almost everything I would say. Let their employees be the guinea pigs for this....
Windows is leaps and bounds more secure than any distro of linux, and will be for quite a while.
Citation, please?
The reason windows is so exploited, is because it is on 90%+ of the machines in the world which make it the prime target. If Linux had 90% of the desktop, I'm sure you wouldn't be saying "Switch to Linux"
Very true.
Lighten up, it was a JOKE!
In times of universal deceit, telling the truth gets you modded -1 Troll
If you think Linux is inherently more secure than Windows, you're absolutely nuts.
Linux is more secure against malware than Windows in the same way that a solid storm window with a few pinhole air leaks at the edge of the frame is more secure against poison gas than a window screen.
This is a "feature" of the way Windows and its application suite are designed.
Now that elaborate malware constructs have been designed and debugged for decades on the Windows Swiss Cheese platforms, and a multibillion dollar malware industry built upon them, if Windows should ever be displaced as the dominant platform by Linux you can expect the payloads to be ported. Then ANY successful Linux exploit the authors can find will give them a new "infection head" and an opportunity to pull the same stunts on Linux, despite the far smaller number of vulnerabilities.
So Windows' security issues (and the failure of the company and users to adequately address them) have made things bad, not just for Windows users, but for everybody. The plague has been bred to enormous strength and virulence in other species and now poses a general threat - much like H1N1 in birds and pigs now poses a threat to humans. Thanks, Microsoft.
Meanwhile, with Windows still the big target, avoiding it in favor of the harder-to-crack, quicker-to-fix, less-profit-for-bad-guys-meanwhile Linux platform remains a benefit for those who use it.
And if it ever DOES become a big enough target to go after, we can hope that the lower number of vulnerabilities, more rapid fix cycle, the model of "fix the holes" in preference to "identify and intercept the latest mutant strains", and the far more varied population of instalations, might keep the problems far smaller than it is with Windows.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
IF the programmers of Apple OSX, Linux, and BSD can make mostly malware-free software, Microsoft can also.
Those operating systems have fewer vulnerabilities because they were designed to be secure.
Apple has a horrible record for patching OSX.
Linux and *BSD have plenty of advisories and vulnerabilities.
No, they were NOT designed to be secure. There are specialised variants, such as OpenBSD and SELinux that can make that, but the vast majority of *nix operating systems can not.
If you want security by design look at the mainframe or iSeries.
So we let the malware freely send itself to hundreds of other computers, steal our sensitive information, and then decide that something is wrong and remove it? Besides that, a lot of malware get's installed by unexperienced users that wanted ringtones/wallpapers/porn/games/porn/porn. Move along, there is nothing to detect.
My other signature is a car
Damn, I wondered what that guy was doing in our server room! Brb...
Once I was a four stone apology. Now I am two separate gorillas.
Is their software malware-free or has it just not been targeted yet?
Hell, Steve Ballmer keeps repeating over and over how much more expensive the Mac is. If that's true, then people with Macs have more money. Where's the shitstorm of malware trying to steal identities from all those Mac users with hefty bank accounts?
If you mod me down, I shall become more powerful than you could possibly imagine.
"The insight is: Let's ignore what the malware does on a machine, and instead look at how it moves between machines. That is much easier to assess. And the moment malware gives up what allows us to detect it, it also stops being a threat."
But of course, malware that doesn't actually DO anything isn't a threat. As an administrator, I am worried about the misuse of resources.
Staging a DDOS attack from malware is a problem for me, because it uses my bandwidth inappropriately. Stealing credit card numbers because it is an inappropriate information leak. And so on.
I actually DON'T CARE if someone clicks on the funny cursors package, in exchange for complete information on their browsing habits -- as long as inappropriate information is not leaked. If the user loses the contents of their savings account to a hacker with a trojan? My initial reaction is to laugh, and then feel pity. As long as its not a theft of resources I am controlling.
Which boils down to: malware is defined by what it does. If propagation is an issue (usually network issues), it becomes my concern. Otherwise? I don't care. So, I use behaviour based approaches to malware control. If a new (to this system) piece of software doesn't have access to resources, it can't misuse them.
Simple trojans, viruses and worms? Amusing, but not particularly on my radar. Specific attacks on security frameworks designed to contain software? Definitely, along with root kits.
About the only reason I bother with "malware detection" is to keep Windows users happy(ier). They seem to think that this stuff is somehow important.
Just another "Cubible(sic) Joe" 2 17 3061
... it depends detection of a significant number of machines being compromised to produce the detection event and response. Meanwhile a significant number of machines have been compromised. The horses are out of those barns by the time the doors are closed.
Rinse and repeat, with a fresh variant of the malware, until "all your horse are belong to us".
Meanwhile, all they're doing is detecting a pattern of distribution of a pattern of data, without any way to differentiate whether the data itself is malware. Surprise: This same pattern occurs with news and with ideas. Do we really want a surveillance system to treat the spread of, say, stories of government corruption, as a malware infection?
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
Come on! I RTFA and it only talked about different characteristics of different forms of "malware". It even ENDS with that crap.
Fuck you very much. This isn't "possible". This is "something I thought up between beers".
AND that crap was spread over THREE PAGES.
Here's the biggest flaw, once a machine is cracked, you simply cannot rely upon it to report correctly. It's been CRACKED!
Cookies are also hard to even browse without, most sites don't load if the cookie is rejected.
Don't know where you are browsing but I've been blocking the majority of cookies for years with little problem. Yes some sites need them, usually the ones you are trying to log into or buy something from. That only describes a small minority of sites - most don't actually need to set a cookie and if you block them you'll never notice the difference. If it is a site you trust and do business with regularly, cookies are fine. Otherwise either block them forever or only allow them for that session. Your web experience will be no worse for the lack of cookies.
IF the programmers of Apple OSX, Linux, and BSD can make mostly malware-free software, Microsoft can also.
Depends on how stable the codebase is, how much backwards-compatibility is needed, how much of a kludge the component code bits in question were in the first place, how modular the overall design is/was, etc.
Sure - Microsoft can do it, but judging from complaints by former Microsofties, and the leaked code from way back in Windows 2000 as a design guide of sorts? Well, on the same note I can, with the same probabilities, dig out Mount Everest and relocate it by using nothing more than a pick axe with a busted handle.
Those operating systems have fewer vulnerabilities because they were designed to be secure.
More importantly, they were designed to be modular in nature. This means that you can rip out and re-write parts of, say, the kernel, without worrying as much about borking the whole thing by doing so*, or inducing even worse problems elsewhere in it.
*assuming you don't do anything outright stupid, of course...
Quo usque tandem abutere, Nimbus, patientia nostra?
The 'micro' prefix comes from the greek mikrós, not latin, and it just means small, not 'very small'. Besides that, I agree, malware is here to stay, and it is also a huge business.
My other signature is a car
But it requires root access to install updates (keep your system updated!) and software typically, does it not? Which means the normal user will be in the habit of typing in the root password, just like Windows users are accustomed to clicking "Yes, allow" and/or typing the Administrator password.
No, Linux users don't generally run as root on their machines, but I type the root password into Ubuntu installations very frequently.
There is little difference. One clicks "Yes" to allow something to happen, the other types in the root password. When installing malware - on purpose, because it's a smilie pack that I want to use!! it's so cute! brb! lol! - I doubt most "normal" Linux users would think twice about typing in their root password.
It also exploited microsoft systems, and a warning was issued less than 14 hours after it was first spotted. Mitigating the attack was fairly straightforward, and fixes were quickly available and easy to apply. There are windows worms, trojans and viruses still going around that are years old. But you drag up a situation that was resolved nearly a decade ago.
IF the programmers of Apple OSX, Linux, and BSD can make mostly malware-free software, Microsoft can also. Those operating systems have fewer vulnerabilities because they were designed to be secure.
Microsoft have made secure software in the past. I recall them touting one of the earlier stable NT releases passing some DoD standard or other for security.
What the morons from marketing did not tell you, was that the DoD had some qualifications attached to an NT system meeting their standard - the key one being: Not connected to the Internet.
I still wonder if the No Such Agency still has thousands of VMS systems. I've not used VMS (or, as it became, OpenVMS) in the last five years. I know many Unix fans really hated it, but the entire development of the OS was done using good, tested Software Engineering principles. It was fun when everyone was screaming about the world ending because of the Y2K problem. Alas, I can't find the great response one of the engineers - basically saying that Y2K was not an issue due to the internal date format, and Y10K would only be a problem for displaying the dates.
Where's the Kaboom?
There's supposed to be an Earth-shattering Kaboom.
while the attacker is standing on his head, drinking a glass of water, and whistling "Yankee Doodle".
Anyone who can successfully code a virus for Linux while doing everything you just specified above is a walking holy terror and needs to be shot on sight before he (or she) decides the world is boring and it needs to be more "interesting".
Here's to hot beer, cold women, and Glaswegian kisses for all.
Distro's do tend to patch pretty fast, but there is at the moment, a clear day or two gap over some apps like Firefox releasing, and the distro's having patch versions.
The real problem remains between the chair and the keyboard.... The operating system can't prevent a total retard clicking yes to everything, or typing in their password because something looks cool....
Sup Dawg ?! I heard you like bein' clean so I put a malware in yo malware so you could disinfect while you disinfect.
Squirrel!
The vulnerabilities are apparently the result of Microsoft release policies:
It was widely reported that Windows 2000 was released with 63,000 known defects.
It was widely reported that Windows XP was released with more than 100,000 known defects. (I don't have time to find a better link.) Microsoft reported that Windows XP Service Pack 2 fixed several hundred bugs, several of them very serious.
Windows Vista was released against the wishes of some Microsoft managers, who said it was not ready for release. There was a court case that revealed emails saying that. (Again, I don't have time to find a better link.)
Actually, no. I run Fedora Core 11 at home and it doesn't require a password to apply updates. I can't remember the last time I had to enter root password.
Once I was a four stone apology. Now I am two separate gorillas.
But you drag up a situation that was resolved nearly a decade ago.
Linux Kernel 2.6 Local Root Exploit - February 10 2008
New Linux Flaw Enables Null Pointer Exploits - July 17, 2009
Better?
My point was that the ISC was created in response to a virus that had an impact on Linux. More to the point, that "Linux" ( much like "Mac" ) does not mean "invulnerable". Any competent system admin will tell you that.
fixes were quickly available and easy to apply
This has less to do with existence of exploits and more to do with competency doesn't it? Tell you what, if you can tell my mother-in-law how to apply this decade old fix to a Linux system correctly, without excusing yourself for a moment to go outside and bang your head against the wall, I'll concede.
I've lost all my marbles except one & It's fun to test angular & centripetal acceleration in my skull
try this on a solaris box:
# find / -type f -perm -ugo-x -exec digest -va md5 {} \; > /executables_digest
then every week, do:
# find / -type f -perm -ugo-x -exec digest -va md5 {} \; > /tmp/weekly_digest /executables_digest /tmp/weekly_digest
# diff
pretty much what software like tripwire works.
what those crooks on TFA want is collect a bunch of information about everybody's computers, then sell to the highest bidder.
fuck them. not on my solaris boxes. not on my linux boxes.
What ? Me, worry ?
A properly configured 'nix machine is much more difficult to exploit than a 'doze box.
Here is the problem. A properly configured Windows box is pretty damn hard to exploit. I haven't had a virus in my recent memory, and most other malware infections are wholly the users fault (i.e. no amount of OS level security will protect them). Granted, in my near 30 years of computers, I've had 2 Windows viruses, 0 Linux viruses, and 0 OS X/Mac Viruses, and 0 C64/Amiga/DOS/BSD ones as well. Well, really one Windows virus, the second was wholly my fault.
Anecdotal, yes. Relevant, perhaps.
The rub, though, is a properly configured box of any type, with a semi-educated competent user is pretty damn secure. A badly set up box, or a dumb user, is a recipe for disaster no matter what your OS of choice is.
A patriot must always be ready to defend his country against his government. -edward abbey
I'll just point out here that Linux users generally do not run as Admin-God on their machines, so while they could still bork their own user account it becomes that much more difficult to compromise the entire machine.
I'll just point out there that since the vast majority of machines aren't professionally-run multiuser servers, and very little malware really needs elevated privileges, that distinction is basically irrelevant in the real world.
The best way to stop malware is to audit code so that it doesn't have vulnerabilities.
Most malware doesn't exploit software vulnerabilities, though, it exploits wetware ones.
IF the programmers of Apple OSX, Linux, and BSD can make mostly malware-free software, Microsoft can also.
When OSX, Linux and BSD have the same user demographic, the comparison can be validly made.
Those operating systems have fewer vulnerabilities because they were designed to be secure.
Perhaps you can elaborate on the relevant "design" aspects you're referring to here.
The vulnerabilities are apparently the result of Microsoft release policies:
It's kind of cute you think their release policies are meaningfully different to anyone else's.
You do realise a "defect" in the context of those numbers could be as trivial as a typo in a helpfile, right ?
Ok now I am almost positive I'm going to incite some flames with this comment, but I'm actually curious about the opinion here.
If this same idea were to be proposed by an open-source anti-malware solution, would you still be so hesitant about it?
How about if the proprietary companies were able to provide concrete evidence of the anonymity of your collected information?
Again, I'm NOT trying to incite a flame war with this, but it just seems so often that people rally a (mostly deserved) hatred and distrust of any and all companies that are proprietary, while having a (possibly detrimental) implicit trust of open-source solutions.
Besides, this could actually be a good idea. After all, we can't cure the common cold, but we can somewhat effectively stop it in it's tracks because we know how it's transmitted from person and can thus take appropriate measures against it. What's more is that the same goes for most all acquired illnesses. I'm not saying mandate the submission of such data, but having it as an option for users could provide anti-malware researchers with a powerful tool in studying them akin to biologic researchers and strain discs.
Yeah, that sounds exactly how it worked on my system up until the latest version. I was going to dump Symantec for something else (finally), but then heard they had made major improvements to performance and other issues you mentioned, so I tried the trial version and was hooked. If I'm going to run anti-virus software, it WILL be Norton (at least this year). Everything you mention above has been fixed. The popups, the goofy stuff about tracking cookies, the slowness, it's all better. And I'm not a shill for Norton either, and I'm not someone who works for them. I just genuinely like the latest version of their product and find it to be better. Credit where credit is due...
Beware of bugs in the above code; I have only proved it correct, not tried it.
" ...If antivirus protectors could collect data from machines and users, including geographic location, social networking information, type of operating system, installed programs and configurations ... The bottom line is this: 'Let's ignore what the malware does on a machine, and instead look at how it moves between machines. That is much easier to assess. And the moment malware gives up what allows us to detect it, it also stops being a threat.'" ..."
No, the Bottom LIne is this: for this to work, we'd have to trust you, and not only do we not trust you, we shouldn't trust you even if we did trust you.
So, never goona happen, regardless of how useful it may be.
Next ...
For a year or more, all Symantec security products have included some form of heuristics/behavior/reputation-based detection. The technologies include Norton Insight, SONAR, and TruScan.
The signature-based detection that has been used for so many years isn't very useful anymore. By the time something is confirmed to be in the wild, captured, analyzed, and defintions created for and tested, that particular strain has pretty much ran its course already.
My preference is a hearty "Greetings!". I got it from Bob Ames. However, sometimes I still say "Howdy!", as I learned from Roy Rogers.
The cost of that cleanup, of course, will be borne by taxpayers, not industry.
Backwards compatibility is a non-free software issue. If you have source, you can make it work on your upgraded platform or migrate to an entirely new architecture.
POKE 36879,8
It's irrelevant until you need to fix the problem.
Windows malware, all too often, totally breaks the system, somehow managing to escape from the user account.
I have no idea how this happens, but it does. The entire system gets broken. Antivirus gets broken quickly before definition updates come in. People have system-wide IE problems, and their hosts file is rewritten, and there's a damn ring-zero network driver running.
Linux, however, has actual account separation. Yes, malware could get in, and horrible infect an account, turning the machine into some virus spewing monster.
But it couldn't break the antivirus, which would update and catch the problem. It couldn't some people from booting up as some other user, or even some sort of automated recovery tool that move all files somewhere else and then copies 'known safe' files back to the account, running chmod -x on documents, and general fixing everything. A fricken shell script could get rid of viruses!
Running as normal users on an OS with actual account separation, and users who don't generally type in a root password is not 'safer' in the sense that infection is less likely. It is not less likely.
But it's much better in that you, or even antivirus software, can actually fix infections.
Hell, you could fix the system by installing antivirus after the infection, which is near impossible on Windows.
If corporations are people, aren't stockholders guilty of slavery?
The the OP was a little abrupt he is 100% correct. Malware is not stopped by ANY OS. Last time I checked a user could install whatever they wanted on OSX, Linux and BSD. The user clicking the "yes please install this piece of shit" is how the majority of malware is propogated and NONE of the OS's you pointed out provide any protection for that.
-
I think 1984 was meant to be 2000 plus 16 instead of - 16!
in 2016 we will have Orwells Prediction:
newspeak is here
doublespeak is here
irregular behaviour detection by cameras is here (slashdot article)
ubiquitous surveillance cams are here
cams in laptops and mobilephones are here
and corrupt governement is also here
Windows Vista was released before it was ready. Even Microsoft middle managers complained about that. Customers rejected Vista; here is one of the hundreds of articles about that: Corporate America's rejection of Vista: Many companies delay or denounce Microsoft's flagship product.
One magazine collected 210,000 signatures against adoption of Windows Vista and for keeping Windows XP: The campaign to save Windows XP.
The fact is that we are not seeing the kind of weaknesses in Linux, OS X, or BSD that are commonly found in Windows. Windows XP was an expensive hassle for us until SP2.
Here is an interesting fact: The latest version of Firefox, and all the versions before it, have a bug which causes Firefox to crash when there are too many windows and tabs. That bug corrupts Windows; sometimes Windows crashes, also. It is always necessary to re-start the computer.
Linux remains stable when Firefox crashes, however.
Oh yes, the smug "users are dumb" argument. ... let's face it, anything at all apart from a badly setup Microsoft box.
Since the same people typically have ADSL modems which are NOT infected with any sort of malware I think the argument is complete rubbish and we're suffering from a platform where "developers are dumb".
Microsoft are waking up to it very slowly, but there are a vast number of third party applications developed by those still asleep at the wheel of the speeding malware trainwreck in progress. Just about any effort Microsoft make at improving security is rendered pointless by those that insist their stuff has to run as Admin or the functionally equivalent "power user". It takes great whopping security holes that should never exist before anything as trivial as clicking on a link could do anything horrible to the computer.
Being smug apologists for broken systems doesn't get us anywhere. With a few good choices you can have a Microsoft based system as immune to being broken by users clicking on things just as if they were on a Mac, Sun, linux, BSD
Mac users have no money because they spent it already.
Musicians don't die. They just decompose.
It's irrelevant until you need to fix the problem.
Not really. Once a system has been infected with malware, it should be nuked (unless you have some method of independently verifying everything on it).
Windows malware, all too often, totally breaks the system, somehow managing to escape from the user account.
Typically because the user allows it to ("Click Continue to see porn ? Sure I will."). Less frequently, by actually exploiting some privilege escalation bug.
Linux, however, has actual account separation. Yes, malware could get in, and horrible infect an account, turning the machine into some virus spewing monster.
Linux has no more account separation than Windows. Less, technically speaking, unless you've got SELinux running (and most don't).
Hell, you could fix the system by installing antivirus after the infection, which is near impossible on Windows.
How do you know the malware hasn't used a local escalation exploit, spread itself throughout the whole system, and possibly even into things like the MBR or BIOS ?
Cool, this system would also clean out all annoying facebook quizzes, those spread like a virus too!
"let's argue that there are secure ways antivirus protectors could learn about all installations of software -- good and bad -- that any of their end-users perform. Let's also assume that they could easily collect other data from these machines and users: geographic location, social networking information, type of operating system, installed programs and configurations"
.. 'the amount of Badness in the Internet began to vastly outweigh the amount of Goodness'.
What's going to protect us from defects in these security systems? Wouldn't giving these malware monitoring systems access to computer networks lessen security rather than enhance it? And isn't this the case that in order to be protected from spyware, I have to let this security system spy on me ? And didn't someone once argue against enumerating badness as in it's a bad idea. Because
>and instead look at how it moves between machines..
Well, actually you would not be able to, because most move in stealth, hidden within other files, blocks of code being split into sections and then added to ends of files, and then reconstructed on the other side...this would not work for this simple reason.
You could not look at a file someone is downloading and say it came from such location its ok, you have to look at the content and the file meta tags...this is the premise of file signatures...hence why we live in a world of virus signatures, and dynamic code blocks.
It's kind of cute you think their release policies are meaningfully different to anyone else's.
Their release policies are very different from, say, Debian's. Or a lot of the OSS world's. (For obvious reasons.)
Freedom isn't free; its price is the well-being of others.
In other news, the DPS has determined that if everyone agreed to submit a list of their frequently visited restaurants, friends and contacts, and passwords to all electronic devices, they would be able to find criminals far more easily. This concept is a major advance in social science and will allow us to finally be free of the terror and uncertainty that has gripped us for so long.
Typically because the user allows it to ("Click Continue to see porn ? Sure I will.").
This is why you don't allow privilege escalation without a root password, and you don't commonly have parts of the system that need it. Even stuff like installing out of repositories can be done without escalating the user.
If users only typed that in their root password once a month or less, users are unlikely to type it in in some random circumstance. You just have to have a moderately intelligent sort of 'sudo'.
How do you know the malware hasn't used a local escalation exploit, spread itself throughout the whole system, and possibly even into things like the MBR or BIOS ?
Because local escalation exploits of vanishingly rare on Linux, and so common on Windows that they essentially cannot be called 'exploits' anymore, but actual features of the OS.
And many applications out there have to run as admin anyway, making any sort of 'exploit' pointless. Window's inability to actually practice any sort of account separation is the problem here. (No matter which is better or worse 'in theory'.)
Yes, if Linux got more popular, more malware would be written for it, but user malware is easy to fix. System malware is not. Thanks to the dominate OS making the first incredibly easy to become the latter, the PC security community has mostly failed to realize or understand these two entities are not the same thing. (Like your 'nuke the machine' recommendation.) Hence their constant statement of 'If Linux was popular, viruses would be targeted at it', which is true, but irrelevant...viruses are easy to fix when the antivirus is root, and the virus is not. Malware is easy to find when it's launching itself from .bashrc and is a normal process.
Now, of course, privilege escalation exploits would, in fact, show up on Linux, and viruses would use them until they were fixed. That can't be stopped. But occasional weaknesses are not the same as Windows constant inability to get it right ever, along with, ironically as they fix that, their dumb new UAC system, which teaches users to allow processes to do whatever they want.
OTOH, Linux systems are still easier to recover from even a system infection, as almost every executable file will be from a known package with a known digital signature, and a boot CD could just download and reinstall all those files that have incorrect signatures, check each document file, and nuke everything else. Windows systems are impossible to repair because you can't verify every file...but you can verify 99% of them on a Linux system, and leave the system mostly intact.
If corporations are people, aren't stockholders guilty of slavery?
This is why you don't allow privilege escalation without a root password, and you don't commonly have parts of the system that need it. Even stuff like installing out of repositories can be done without escalating the user.
Sorry, "type your password here to see porn" isn't going to make a meaningful difference.
If users only typed that in their root password once a month or less, users are unlikely to type it in in some random circumstance. You just have to have a moderately intelligent sort of 'sudo'.
Frequent escalation prompts are almost completely an application level issue.
Because local escalation exploits of vanishingly rare on Linux, and so common on Windows that they essentially cannot be called 'exploits' anymore, but actual features of the OS.
That's not what the advisories on secunia.com would suggest.
And many applications out there have to run as admin anyway, making any sort of 'exploit' pointless. Window's inability to actually practice any sort of account separation is the problem here. (No matter which is better or worse 'in theory'.)
It's an application problem, not a Windows problem.
Yes, if Linux got more popular, more malware would be written for it, but user malware is easy to fix. System malware is not. Thanks to the dominate OS making the first incredibly easy to become the latter, the PC security community has mostly failed to realize or understand these two entities are not the same thing. (Like your 'nuke the machine' recommendation.) Hence their constant statement of 'If Linux was popular, viruses would be targeted at it', which is true, but irrelevant...viruses are easy to fix when the antivirus is root, and the virus is not. Malware is easy to find when it's launching itself from .bashrc and is a normal process.
Except that won't be what happens, nor is there any reason to think it is.
Now, of course, privilege escalation exploits would, in fact, show up on Linux, and viruses would use them until they were fixed. That can't be stopped. But occasional weaknesses are not the same as Windows constant inability to get it right ever, along with, ironically as they fix that, their dumb new UAC system, which teaches users to allow processes to do whatever they want.
UAC behaves identically to sudo prompts in Linux distros like Ubuntu, and OS X. It prompts in the same scenarios and for the same reasons.
don't click the box
But I want to see the dancing monkeys!
Who is General Failure and why is he reading my hard disk?
Frequent escalation prompts are almost completely an application level issue.
Yes, but Linux has less applications running privileged. (At least, Linux desktops.) Less applications with root privs=less escalation exploits.
It's an application problem, not a Windows problem.
At this point, all Windows problems are third-party problems. Either application problems or driver problems. The actual code written by MS is fairly good.
That does not actually change anything, nor does it mean that Linux is not better designed in those areas, or at least better designed than Windows was previously designed, and has to continue to support that stupid design.
In short, Windows pre-NT was incredibly stupidly designed. NT and later, the design is fine, in fact, the design is arguably better than Linux.
However, in practice, it had to support all the older apps, so was the new design was constantly ignored in favor of everyone running as Admin. And because everyone ran as admin, apps continued to come out that required it, even as late as present day!
They really needed UAC on XP, and not let people run as Admin. It's going to take an entire software generation, call it 5-10 years, of UAC and software being forced to do actual correct privilege separation, or be very annoying if they aren't doing it, before Windows is anywhere near as secure as Linux was a decade ago.
That's not what the advisories on secunia.com would suggest.
Most of those are for things desktop users would not be running, and, just as importantly, almost all applications on Linux systems are provided via the distribution, and hence can be quickly upgraded by the distribution. Silently, in the background.
Except that won't be what happens, nor is there any reason to think it is.
If malware is stuck as a user, there are a limited numbers of places it can reasonable put itself. There's probably a better place than .bashrc like some obscure gnome config file, but the program files themselves are also limited essentially to ~
UAC behaves identically to sudo prompts in Linux distros like Ubuntu, and OS X. It prompts in the same scenarios and for the same reasons.
Oh, I'm not in any way trying to say that the sudo prompts in Linux are correct way to do it. We're not talking about now, where most users of Linux are either expert users, or locked-out non-admin users who can't do anything anyway.
I'm talking about a hypothetical future where Linux and MS have, let's say, 50% markeshare, with roughly the same people running them, and as many virus target Linux as Windows. (The comment that started all this was 'If Linux becomes the place where the people and money are, Linux will have its own legion of malware writer') Linux distros could do sudo correctly, and would if they got viruses that did sudo prompts.
Of course, first I should point out that Linux applications don't commonly need admin privs and prompt users at launch. Usually, any program that does that has some logical reason for it, as opposed to some Window game that wants direct access to the CD because of DRM or something.
As for changes, I'd suggest: Stop prompting to install, or uninstall, signed application software from the distribution channel. Just go ahead and do it, unless they user's been blocked from that by admin. Distros would have to decide what is 'application' vs. what is 'system', but they already do that.
Considering that 90% of 'prompting to install malware' on Windows is when users know they're installing something, if you have users normally install things by going into the 'Add/Remove Applications' and just clicking on them and poof, installed, they are going to be somewhat hesitant to download something, mark it executable, and launch it, and then type in their root password.
Whereas Window users do that (mostly) all the time. Heck, now what Linux us
If corporations are people, aren't stockholders guilty of slavery?
No.
kthxbyeseeya