Because the very act of surfing the web is - from a security perspective - probably one of the most stupid things to have happened in the whole of computer history.
And I'm not exaggerating.
The first thing anyone who gives a damn about IT security learns is "don't open any old random garbage". How important this rule is (and how easily it's forgotten) was first brought home with things like ILOVEYOU - and that was 11 years ago, FFS. As a result, mail systems have been getting ever more paranoid about accepting executables - it's quite awkward to even successfully receive an executable in Outlook today, and that's assuming they've not been blocked at the mail server.
While this has been going on, web browsers and their plugins have been merrily gaining more and more functionality and more and more potential for exploits of more-or-less exactly the same type. But they're slightly worse. With email, most modern mail applications don't run any active content that's likely to cause a problem until you explicitly tell them to. Web browsers run it as soon as the page loads.
So we now have millions of people worldwide who are actively using a tool which - by design - downloads and runs random code from anywhere in the world with little or no confirming that one would want to - or indeed that it would be sensible to. At best you have something like Safari's "Warning, this site may damage your computer" page - but we already know that such warnings are fairly useless because people have been conditioned to ignore them.
Click on the link and abracadabra, as if by magic your computer is infected with malware.
I had one yesterday through stumbleupon - it showed a webpage claiming to scan for (and naturally find) malware and at the same time triggered the download of something calling itself anti_malware.zip. I don't know if it would have exploited a browser hole to install itself had I been running Windows or if it was simply banking on me running the download.
It is absolutely commonplace to find that in companies the size of Sony, different divisions are effectively operated as wholly separate companies and about the only thing they share is the company name and logo.
Separate directors, separate budgets, in some cases even separate legal entities. It shouldn't be too surprising to find they have different attitudes to things like this.
When a small business such as you or I might run fails to keep systems in PCI compliance, the bank can revoke our ability to take cards and we are in trouble.
When a huge business such as Sony fails to keep systems in PCI compliance, the bank cannot revoke ability to take cards otherwise the bank's in trouble.
Could someone who is a gamer answer a few questions?
1. Is it currently possible to run games (hacked or otherwise) from Linux once your PS3 has booted Linux? Or do you have to reboot the console into the game directly?
2. How practical is it to hack a PS3 game in the first place and how many games are known to have been hacked with cheats such as aimbots? I was under the impression that when running games on the PS3, more-or-less everything had to be signed.
What I'm trying to figure out is from the other side of the fence - do the complaints from the people in the pro-Sony camp make any sense at all? Or are they just lapping up rubbish being spouted by Sony's PR people?
Generally, day-to-day services are free but as soon as you go into an unauthorised overdraft you get really stung. Think charges for going overdrawn, charges for writing a letter telling you are overdrawn, per-transaction charges for every transaction that is declined as a result of the overdraft and fortnightly charges for the privilege of holding an account which is in an unauthorised overdraft. And punitive interest on top of those charges.
It's possible - indeed, it's quite well known - for someone to go overdrawn by less than £10 and by the time the letter informing them of this lands on the doormat, they're £100 into an unauthorised overdraft from nothing but charges.
Despite all the problems, using an ATM machine beats standing in that long ass line trying to cash a check.
Why are banks open only from 10-3, the sort of hours they know everyone is at work? And why is it that at least one bank teller is on break or on lunch?
If the US is anything like the UK, it's because they don't care about personal customers. Individuals don't make them anything like enough money on a per-individual basis, the only way to make money from individuals is to have thousands upon thousands of them and funnel them all through the quickest, most efficient means possible. And if that means a few customers get upset - well, you're never going to please all the people all the time.
I guarantee you if a really significant sum appears out of nowhere in your account, that'll change very fast. You'll have a bank rep on the phone to you within a couple of days wanting to chat. You're suddenly someone with some money to whom they may be able to sell significantly more lucrative products.
Businesses, OTOH. They're a whole different kettle of fish. They tend to have far more transactions per month, if they're in the UK they're far more likely to pay per-transaction and there's a good chance they owe the bank a significant sum of money - far more than most individuals. And a liability from your perspective is an asset from the bank's perspective. It doesn't become a liability unless the business owing the money goes to the wall. They're definitely going to pay a lot of attention to their biggest assets.
So the bank puts people behind the desk at a time that's convenient to businesses.
I don't know how things work in the US, but in the UK there are all sorts of ways of establishing a credit history which don't involve dealing with scummy companies like this.
You can sign up for a credit card from a company offering cards explicitly for people with bad credit histories. There's always someone prepared to offer credit cards to people with less-than-stellar credit and you don't have to buy a big item (with associated huge interest payments) with it. Simply buying a few small things and making the payments is a good start.
You can self-certify for a mortgage. Essentially you sign a form saying "I confirm I can make the payments on this". Again, you'll pay a higher interest rate - but there's nothing to stop you re-financing a couple of years down the line.
By the time you have to go to a company like this, your credit must really be shot to hell.
Do you know, I think you're the first person to get it in the whole thread?
These companies do not sell to people who will do a bit of arithmetic and work out the most cost-effective way of getting what they want. They don't expect to sell anything to such a person.
They sell to a group who want the latest thing and focus purely on how much it'll cost them per month.
Clearly this group of people is big enough to sustain such businesses or they wouldn't exist.
So what you're saying is, maybe all those people who tell you that you should never, ever buy anything on credit (because credit is evil and you should always buy everything with cash), should get a crash course on something called "opportunity cost"? It's not as if it's hard for a student to get a credit card.
These companies don't aim at people who can easily get a credit card. I don't know what it's like where you are, but here in the UK they've got very flashy window displays proudly announcing things like "Poor credit history? No proof of earnings? Not a homeowner? No problem!". The actual final price you wind up being stung for is carefully hidden.
They'll sell to more-or-less anyone, and the business model is clear - their customers have a high risk of not paying, but that doesn't matter too much because the item that was sold under a 12 or 24 month contract was actually paid for in the first 3-6 months. Provided the customer continues to pay for longer than that, you're in profit. And they often will, because you're not the sort of company that writes a few rude letters before taking someone to court over missed payments. You're the sort of company that sends around a couple of big, threatening-looking men to take the item away if payment is so much as 10 days late.
Such companies are vultures, they prey on a section of society that wants the latest toys but cannot hope to afford them. But they're very well dressed, very smart vultures with high street business premises, which is enough for the target market not to realise what they're letting themselves in for until it's far too late.
I forget exactly where I first read it, but it bears repeating: Unless you can put your finger on a damn good reason why your business cannot deal with any downtime, you don't need high availability and probably shouldn't bother with it.
It invariably introduces a lot more complication, a lot more to go wrong. Few businesses truly need it, usually all they need is a clear plan to recover from system failure which accounts for the length of time such recovery will take.
Simply running your application on, say, a highly-available VM in someone else's datacenter does not make that complication go away, it just makes it somebody else's problem.
When you spend a great deal of money on consumer goods, there are always one or two features which are exclusive to the expensive model and tend to remain so.
Quite often, that feature is something that doesn't even get mentioned in the abbreviated spec list (maybe the manufacturer thought it was so damn obvious it wasn't worth mentioning) and is more related to form than it is to function. You can't compare an iPhone 3GS to a Sony Ericsson XPeria X8, but I bet you there's an insurance company somewhere that does.
But in the end you really can't blame MSFT for this one, since their recommendations on writing permissions has been the same since Win2K pro, it is just nearly every third party vendor just gave MSFT the bird and wrote everything as admin because it was the lazy way to go. But if you are dealing with a vendor who after FOUR YEARS of UAC STILL hasn't bothered to write an acceptable program with normal permissions I would seriously be pushing for another vendor. After all if they can't even code correct permissions, what other shoddy code have they let slip by?
As would I, but the OP you're replying to is a slightly special case because they're working in a school.
Educational software tends to fall into one of two camps:
1. It does a first-class job of getting the message across to the pupils. Unfortunately the person who wrote it wouldn't know a Microsoft recommendation if it bit them on the bum. It ships to the school with installation instructions saying "Visit every PC in turn, insert the CD and go Start, Run, D:\install.exe"; there isn't an MSI. Further investigation suggests that repackaging as an MSI is somewhat awkward because the installer does all sorts of different things depending on what it finds when it runs. (This was certainly the case a few years ago, I don't know if things have improved much since but I doubt it, particularly with the mention that UAC often needs disabling).
2. It's dead easy to run it from a network location or deploy it using an MSI. Indeed, that's exactly what they recommend you do if you've got more than a couple of PCs. Unfortunately, it really doesn't do a terribly good job of getting the message across to pupils.
Guess which sort tends to get purchased by eager teachers trying to find something to make their life a little easier?
Okay, so let's look at the practical differences between infecting a user account and infecting a system account.
1. If you're running as a user, you might find it harder to start an application as part of the boot process. Not the end of the world, however, because it's easy enough to start as soon as the user logs on - and this is true on Windows, OS X and Linux. 2. You can set up TCP/IP connections as any user. You can't listen on a privileged port, but that's hardly a showstopper. 3. You can still steal user data regardless of whether or not your application is running as root. You can't overwrite the OS but you probably don't want to do that because it'll draw attention. 4. You can't interfere directly with the keyboard buffer to read keystrokes as they're being typed. But you probably don't need to. Most modern operating systems have very sophisticated APIs to allow applications to communicate and little inherent security built into those APIs - for instance, under Windows it's quite easy to write an application which silently screen-scrapes another application and that process will run just fine as a normal user. 5. If your application is running as a domain user in Windows, it's arguably a bigger security risk than if it's running as a local admin. The local admin SID will be more-or-less useless beyond the confines of the PC the application is running on. This is not so for a domain user's SID. Much the same is true for NFS in Unix - any admin with half a brain will use squash_root but that doesn't help when malware isn't running as root in the first place.
You're not exactly in a strong negotiating position as the customer. You either pay up or get cut off, and while you can sue them, they're not obliged to keep you as a customer. If you're short of options in your local area, the words "nose", "spite" and "face" spring to mind.
IME it's vanishingly unlikely that an admin would put that much effort into making printers browseable when the typical use-case is that nobody is ever going to browse for printers. PCs will be built with the appropriate printers pre-configured.
There is very little significant difference between distros. The underlying software used to support printers, video cards and scanners is all the same - the only significant difference is in relatively small patches, default configurations and GUI tools provided to manage them.
A trick I used about twelve years ago (can't believe it's still necessary today) was to re-use known-good configurations when moving from one distro to another rather than mess around trying to figure out how a given distro vendor had put together their GUI tools. Worked pretty well, as it happens - I never had to care that the distro did a lousy job of supporting a particular piece of hardware.
ClamAV is somewhat less than ideal on a number of levels:
1. It doesn't do realtime scanning. 2. It doesn't have any sort of centralised management. When you're dealing with this many systems, you want a central list of what systems are up-to-date with their definitions and a way to force systems that are out of date to get an update. This is something you get with commercial AV products aimed at businesses; it is invariably missing on free products.
Which is why you don't run AV on a compromised machine. You boot from a rescue CD such as that provided by Avira or F-Secure.
Even that's not a perfect solution, of course, because it assumes your scanner can detect secondary vulnerabilities injected by the infection itself - or that no such vulnerability exists. Both of which seem rather optimistic assumptions. Ideally you'd have some sort of boot CD that can run checksums against every file on the system - but by the time you get to this point, it's probably several times quicker to rebuild the system.
If you look at the latest threats for Windows, probably 70% of them are trojans of some sort.
Looking at Symantec's website, the remainder are all variants on the exact same application - VirusDoctor. So the true percentage of trojans (as opposed to viruses) is probably much higher than 70%.
Slashdot Mirror
That's default-permit. It doesn't work. If it did, we wouldn't have to update antivirus scanners every day and still find malware getting through.
Because the very act of surfing the web is - from a security perspective - probably one of the most stupid things to have happened in the whole of computer history.
And I'm not exaggerating.
The first thing anyone who gives a damn about IT security learns is "don't open any old random garbage". How important this rule is (and how easily it's forgotten) was first brought home with things like ILOVEYOU - and that was 11 years ago, FFS. As a result, mail systems have been getting ever more paranoid about accepting executables - it's quite awkward to even successfully receive an executable in Outlook today, and that's assuming they've not been blocked at the mail server.
While this has been going on, web browsers and their plugins have been merrily gaining more and more functionality and more and more potential for exploits of more-or-less exactly the same type. But they're slightly worse. With email, most modern mail applications don't run any active content that's likely to cause a problem until you explicitly tell them to. Web browsers run it as soon as the page loads.
So we now have millions of people worldwide who are actively using a tool which - by design - downloads and runs random code from anywhere in the world with little or no confirming that one would want to - or indeed that it would be sensible to. At best you have something like Safari's "Warning, this site may damage your computer" page - but we already know that such warnings are fairly useless because people have been conditioned to ignore them.
Click on the link and abracadabra, as if by magic your computer is infected with malware.
I had one yesterday through stumbleupon - it showed a webpage claiming to scan for (and naturally find) malware and at the same time triggered the download of something calling itself anti_malware.zip. I don't know if it would have exploited a browser hole to install itself had I been running Windows or if it was simply banking on me running the download.
It is absolutely commonplace to find that in companies the size of Sony, different divisions are effectively operated as wholly separate companies and about the only thing they share is the company name and logo.
Separate directors, separate budgets, in some cases even separate legal entities. It shouldn't be too surprising to find they have different attitudes to things like this.
He may not be CEO for very long if he makes a habit of making announcements like this.
When a small business such as you or I might run fails to keep systems in PCI compliance, the bank can revoke our ability to take cards and we are in trouble.
When a huge business such as Sony fails to keep systems in PCI compliance, the bank cannot revoke ability to take cards otherwise the bank's in trouble.
Could someone who is a gamer answer a few questions?
1. Is it currently possible to run games (hacked or otherwise) from Linux once your PS3 has booted Linux? Or do you have to reboot the console into the game directly?
2. How practical is it to hack a PS3 game in the first place and how many games are known to have been hacked with cheats such as aimbots? I was under the impression that when running games on the PS3, more-or-less everything had to be signed.
What I'm trying to figure out is from the other side of the fence - do the complaints from the people in the pro-Sony camp make any sense at all? Or are they just lapping up rubbish being spouted by Sony's PR people?
Don't talk common sense, man, this is /.!
Generally, day-to-day services are free but as soon as you go into an unauthorised overdraft you get really stung. Think charges for going overdrawn, charges for writing a letter telling you are overdrawn, per-transaction charges for every transaction that is declined as a result of the overdraft and fortnightly charges for the privilege of holding an account which is in an unauthorised overdraft. And punitive interest on top of those charges.
It's possible - indeed, it's quite well known - for someone to go overdrawn by less than £10 and by the time the letter informing them of this lands on the doormat, they're £100 into an unauthorised overdraft from nothing but charges.
what is the main selling point for Linux on servers?
It's free. Nothing about five 9's at all. If you want five 9's you run a cluster, not a single box running any OS.
You'd be amazed what a poor selling point that can be. It still evokes suspicion from a lot of businesses.
Despite all the problems, using an ATM machine beats standing in that long ass line trying to cash a check.
Why are banks open only from 10-3, the sort of hours they know everyone is at work? And why is it that at least one bank teller is on break or on lunch?
If the US is anything like the UK, it's because they don't care about personal customers. Individuals don't make them anything like enough money on a per-individual basis, the only way to make money from individuals is to have thousands upon thousands of them and funnel them all through the quickest, most efficient means possible. And if that means a few customers get upset - well, you're never going to please all the people all the time.
I guarantee you if a really significant sum appears out of nowhere in your account, that'll change very fast. You'll have a bank rep on the phone to you within a couple of days wanting to chat. You're suddenly someone with some money to whom they may be able to sell significantly more lucrative products.
Businesses, OTOH. They're a whole different kettle of fish. They tend to have far more transactions per month, if they're in the UK they're far more likely to pay per-transaction and there's a good chance they owe the bank a significant sum of money - far more than most individuals. And a liability from your perspective is an asset from the bank's perspective. It doesn't become a liability unless the business owing the money goes to the wall. They're definitely going to pay a lot of attention to their biggest assets.
So the bank puts people behind the desk at a time that's convenient to businesses.
I don't know how things work in the US, but in the UK there are all sorts of ways of establishing a credit history which don't involve dealing with scummy companies like this.
You can sign up for a credit card from a company offering cards explicitly for people with bad credit histories. There's always someone prepared to offer credit cards to people with less-than-stellar credit and you don't have to buy a big item (with associated huge interest payments) with it. Simply buying a few small things and making the payments is a good start.
You can self-certify for a mortgage. Essentially you sign a form saying "I confirm I can make the payments on this". Again, you'll pay a higher interest rate - but there's nothing to stop you re-financing a couple of years down the line.
By the time you have to go to a company like this, your credit must really be shot to hell.
Do you know, I think you're the first person to get it in the whole thread?
These companies do not sell to people who will do a bit of arithmetic and work out the most cost-effective way of getting what they want. They don't expect to sell anything to such a person.
They sell to a group who want the latest thing and focus purely on how much it'll cost them per month.
Clearly this group of people is big enough to sustain such businesses or they wouldn't exist.
So what you're saying is, maybe all those people who tell you that you should never, ever buy anything on credit (because credit is evil and you should always buy everything with cash), should get a crash course on something called "opportunity cost"? It's not as if it's hard for a student to get a credit card.
These companies don't aim at people who can easily get a credit card. I don't know what it's like where you are, but here in the UK they've got very flashy window displays proudly announcing things like "Poor credit history? No proof of earnings? Not a homeowner? No problem!". The actual final price you wind up being stung for is carefully hidden.
They'll sell to more-or-less anyone, and the business model is clear - their customers have a high risk of not paying, but that doesn't matter too much because the item that was sold under a 12 or 24 month contract was actually paid for in the first 3-6 months. Provided the customer continues to pay for longer than that, you're in profit. And they often will, because you're not the sort of company that writes a few rude letters before taking someone to court over missed payments. You're the sort of company that sends around a couple of big, threatening-looking men to take the item away if payment is so much as 10 days late.
Such companies are vultures, they prey on a section of society that wants the latest toys but cannot hope to afford them. But they're very well dressed, very smart vultures with high street business premises, which is enough for the target market not to realise what they're letting themselves in for until it's far too late.
Not necessarily, as has already demonstrated.
I forget exactly where I first read it, but it bears repeating: Unless you can put your finger on a damn good reason why your business cannot deal with any downtime, you don't need high availability and probably shouldn't bother with it.
It invariably introduces a lot more complication, a lot more to go wrong. Few businesses truly need it, usually all they need is a clear plan to recover from system failure which accounts for the length of time such recovery will take.
Simply running your application on, say, a highly-available VM in someone else's datacenter does not make that complication go away, it just makes it somebody else's problem.
When you spend a great deal of money on consumer goods, there are always one or two features which are exclusive to the expensive model and tend to remain so.
Quite often, that feature is something that doesn't even get mentioned in the abbreviated spec list (maybe the manufacturer thought it was so damn obvious it wasn't worth mentioning) and is more related to form than it is to function. You can't compare an iPhone 3GS to a Sony Ericsson XPeria X8, but I bet you there's an insurance company somewhere that does.
But in the end you really can't blame MSFT for this one, since their recommendations on writing permissions has been the same since Win2K pro, it is just nearly every third party vendor just gave MSFT the bird and wrote everything as admin because it was the lazy way to go. But if you are dealing with a vendor who after FOUR YEARS of UAC STILL hasn't bothered to write an acceptable program with normal permissions I would seriously be pushing for another vendor. After all if they can't even code correct permissions, what other shoddy code have they let slip by?
As would I, but the OP you're replying to is a slightly special case because they're working in a school.
Educational software tends to fall into one of two camps:
1. It does a first-class job of getting the message across to the pupils. Unfortunately the person who wrote it wouldn't know a Microsoft recommendation if it bit them on the bum. It ships to the school with installation instructions saying "Visit every PC in turn, insert the CD and go Start, Run, D:\install.exe"; there isn't an MSI. Further investigation suggests that repackaging as an MSI is somewhat awkward because the installer does all sorts of different things depending on what it finds when it runs. (This was certainly the case a few years ago, I don't know if things have improved much since but I doubt it, particularly with the mention that UAC often needs disabling).
2. It's dead easy to run it from a network location or deploy it using an MSI. Indeed, that's exactly what they recommend you do if you've got more than a couple of PCs. Unfortunately, it really doesn't do a terribly good job of getting the message across to pupils.
Guess which sort tends to get purchased by eager teachers trying to find something to make their life a little easier?
Okay, so let's look at the practical differences between infecting a user account and infecting a system account.
1. If you're running as a user, you might find it harder to start an application as part of the boot process. Not the end of the world, however, because it's easy enough to start as soon as the user logs on - and this is true on Windows, OS X and Linux.
2. You can set up TCP/IP connections as any user. You can't listen on a privileged port, but that's hardly a showstopper.
3. You can still steal user data regardless of whether or not your application is running as root. You can't overwrite the OS but you probably don't want to do that because it'll draw attention.
4. You can't interfere directly with the keyboard buffer to read keystrokes as they're being typed. But you probably don't need to. Most modern operating systems have very sophisticated APIs to allow applications to communicate and little inherent security built into those APIs - for instance, under Windows it's quite easy to write an application which silently screen-scrapes another application and that process will run just fine as a normal user.
5. If your application is running as a domain user in Windows, it's arguably a bigger security risk than if it's running as a local admin. The local admin SID will be more-or-less useless beyond the confines of the PC the application is running on. This is not so for a domain user's SID. Much the same is true for NFS in Unix - any admin with half a brain will use squash_root but that doesn't help when malware isn't running as root in the first place.
You're not exactly in a strong negotiating position as the customer. You either pay up or get cut off, and while you can sue them, they're not obliged to keep you as a customer. If you're short of options in your local area, the words "nose", "spite" and "face" spring to mind.
IME it's vanishingly unlikely that an admin would put that much effort into making printers browseable when the typical use-case is that nobody is ever going to browse for printers. PCs will be built with the appropriate printers pre-configured.
There is very little significant difference between distros. The underlying software used to support printers, video cards and scanners is all the same - the only significant difference is in relatively small patches, default configurations and GUI tools provided to manage them.
A trick I used about twelve years ago (can't believe it's still necessary today) was to re-use known-good configurations when moving from one distro to another rather than mess around trying to figure out how a given distro vendor had put together their GUI tools. Worked pretty well, as it happens - I never had to care that the distro did a lousy job of supporting a particular piece of hardware.
According to TFA, he was buried at sea, so I don't think you'll get to see the body.
ClamAV is somewhat less than ideal on a number of levels:
1. It doesn't do realtime scanning.
2. It doesn't have any sort of centralised management. When you're dealing with this many systems, you want a central list of what systems are up-to-date with their definitions and a way to force systems that are out of date to get an update. This is something you get with commercial AV products aimed at businesses; it is invariably missing on free products.
Which is why you don't run AV on a compromised machine. You boot from a rescue CD such as that provided by Avira or F-Secure.
Even that's not a perfect solution, of course, because it assumes your scanner can detect secondary vulnerabilities injected by the infection itself - or that no such vulnerability exists. Both of which seem rather optimistic assumptions. Ideally you'd have some sort of boot CD that can run checksums against every file on the system - but by the time you get to this point, it's probably several times quicker to rebuild the system.
If you look at the latest threats for Windows, probably 70% of them are trojans of some sort.
Looking at Symantec's website, the remainder are all variants on the exact same application - VirusDoctor. So the true percentage of trojans (as opposed to viruses) is probably much higher than 70%.