OSNews

The're still IE vulnerabillities. Not every exploit raises a warning message. Most of them are stealthy and use 0day's. Often they {temporarily or not} disable any AV or firewall implementation. Hence the're professional exploit kits being sold on the net that even have an update facillity.

http://www.symantec.com/enterprise/security_response/weblog/2007/05...

In addition exploit auction sites do exist where you can buy and sell them.

http://searchsecurity.techtarget.com/originalContent/0,289142,sid14...


The fact that you haven't had a single AV alert doesn't necessarily mean you haven't been infected at some point.

That probably won't work with Vista since IE uses protected mode. But I'm not sure.

The point of an exploit is that it breaks expected functionality. For example a Virus getting admin rights on a WinXP standard user. IE Protected mode is an extra barrier of protection that should stop drive-by-downloads, but an exploit that breaks the protected mode may be found one day.

What I do for customers who've had their machines heavily infected before is install Firefox, AdBlock, SiteAdvisor, AVG & Spybot/Defender and that seems to cover most vectors, leaving only social engineering / 0days.

Security is definitely about layers - including Anti Virus even if nothing might get that far. I would use AV on my Mac, but I've found that AV apps on Mac are of poor quality, and I can manage fine with my knowledge of the system since I don't have 140'000 different viruses to think about, only one or two that may crop up at some point.

What do those links have to do with Vista and/or IE on Vista?

"

"

....and view questionable websites and read questionable e-mails....etc.

The truth is people do and will continue to do so.

Besides, it's not always easy to tell which programs are safe and which are not. Yes, a little intellegence and a lot of common sense goes a long way, but the people who write these exploits are not stupid either.

The problem is, sometimes you don't need to do anything to get a virus. It has happened before on an unpatched system. No open windows, nothing but the desktop on screen so you get the virus by simply being connected to the net. This rarely happens of course but as long as the system is patched, you should be fine without an AV on XP. I used to have no AV for 6/7 years. I recently started using NOD32 even though I trust what I download, "just in case" I want to scan the file.

The problem with UAC is that it hurts advanced users. As the article says, you can't protect someone from himself. Why? Well, even though they get prompted with a warning not to run this file, most ignorant users will just click "Allow" anyway.....

Edited 2007-07-19 11:17

Personally I'd rather fix computer systems of friends and family when they get hit by the odd piece of nasty annoying adware than constantly 'check up' on their PC because Norton Shitority Suite 2015 and all the other RAM and I/O hungry gunk they have installed is making it run like muck. And I'm sure I'd be doing it less frequently too.

I have a friend with a beautiful £1k Core2/XP/2GB system which I recently had to wipe and reinstall because it was blue screening, and just generally running worse doing desktop tasks than my old Pentium II. It saddens me to see someone spend so much money on a system, for me to build it, install all they need and to see it fly, only to see the same desktop 3 months later with 17 system tray icons and the whole thing running like shit. The last thing he needed was resident AV.

On the Window's platform, the boundaries between viruses, spy and adware and just bad bloaty software with system wide negative effects is smearing and AV doesn't help.

Yeah it would be nice, now wouldn't it?

Users actually paying attention...
I mean it sounds like a great idea to me, or more like utopia *sigh*

People will either turn the damn thing off, or click "OK" every time.

I mean, in XP, by default (right after you install) you get asked whether or not you want to execute something you've just downloaded. Doesn't stop anybody, or any virus...

Oh well....

How do you get along treating people like that? They did not buy their machines to run some woodo shiite but to fulfill a specific need. Do you think it's allright if salami crawls out of your fridge at night and eats your money just because you didn't buy and read the required 7 books about having a salami?

Every story has two sides and moronic developers / industry is the other site of this one.

I agree, and "computer is no toaster, so if you want a toaster, buy yourself a toaster" is the other side of the equation.

Now, users should be educated, computers are not appliances, even though majority are trying to treat them as such.

I a todays world, this leads to DDoS attacks (or should I say "attack of the clones") and other nasty things.

So, relying solely on users for security is unfeasible today, as people continue to click "or download me and I will infect you" e-mail links, click on "OK" in UAC (it's very annoying, UAC that is) and do the rest of their day-to-day activities.

So, Firewall, antivirus, spam scanners, are all a must in a Windows world (some are a must everywhere)

Oh well...

Users actually paying attention...
I mean it sounds like a great idea to me, or more like utopia

I see it as job security more than a burden ;-)

True.

I admit, it is frustrating that the same people go to the same online poker/porn/download site and get the same junk like they dont remember what happened the last 8 times they did, but I sure do like the money, so go naive! Whats a little harder to explain is when they notice most of the lag in thier system comes from the software that they spent 90 dollars on that promised to free them of this worry *cough* NAV *cough*.

its amazing how fast a computer runs when you know enough about what your doing to finally rid yourself of resident scanners. Best bet is to disable the resident and just run the on access once or twice a week, or use the built in scheduler to make it happen when you know you wont be around. OR use linux and relax. but to be honest ive yet to see a virus on my windows machine in many many years, common sense and an interest in knowing what your system is up to goes a VERY long way.

But that doesn't really get to the source of the problem. The problem isn't ignorance - we were all ignorant at one point in time about computers. The issue is what we did (versus what they didn't do) to address that problem.

Unfortunately ignorance is part of a bigger social issue in the world - look around. Society in general praises ignorance, as if it were something to be proud of - who gets more kudos, a 'book reading geek' or some muscle bound athlete who as think as two short planks.

Until people are willing to see that knowledge is a good thing to have, and learning for the sake of learning (rather than a job) is a great thing ti promote, we'll continue to have ignorant people who think they can get away with the bare minimum to be able to operate a computer effectively.

The thing is that Joe User shouldn't be installing stuff on a computer. He doesn't have the skills required so he shouldn't be doing it.

In the same way, Joe User shouldn't be cooking unless he knows about food poisoning and how to prevent it.

The problem is that the IT industry, in trying to sell it's products, promotes the idea that 'anyone can do it' and 'no learning nescessary'. No other industry does that to the extent that the IT industry does.

We created the 'idiot user', We brought this on ourselves and now we have to deal with it.

I agree with a lot of what you say, but be careful who you call 'we'. I was much happier when only geeks (generally speaking) used computers, and I'm certainly not guilty of pedalling the computer life to non-geeks. I'm not being elitist, it was just 'better times' back then.

"We created the 'idiot user', We brought this on ourselves and now we have to deal with it."


Here is another one!

"UAC may be super annoying but it can stop just about any program from installing making it an excellent security tool. It's so good that it could remove the need for an antivirus. Unfortunately, Joe User is really stupid and odds are he'll ignore the UAC messages and install the virus anyway."


I love when PC know-it-alls talk about how stupid and ignorant "Joe user" is. Like they were never THAT guy! You arrogant PC dorks need to show some modesty and humility and stop acting like you are so f'n special because you can point and click better then the next guy! WE ALL started as Joe User!

In my experience, the dorks that act like this around less experienced computer people are the one that really dont know there ass from a hole in the ground!!!!

Hi! Welcome to osnews.

The difference between Joe user and the the "PC know-it-all" Is that there are many MANY people who refuse to learn, or do not wish to learn, and thus stay in their ignorant little blissfull world, going to all the porn sites on ie, and opening up all the attachments from their spam inbox.

The "PC know-it-all" isn't whom you are thinking of. You are thinking of the people who format more than once a year. A true "PC know-it-all" usually doesn't format their systems, usually controls large corporate networks, and usually isn't biased towards any operating system, and can use the big 3 equally as well.

By your logic, Le mons drivers should never be able to complain about people who are bad drivers, because they all started as average drivers.

Please stop posting that stupid little signature.

Why should they? seems like you are get annoyed easily

Just like a limited user account on XP or Mac or Linux ...

Exept on McOSX and linux systems you are in control if you want quite easily.

On linux you could patch the kernel with grsecurity. And for example activate a lot of protection until you have a healthy mix of security and usability. for example you could set the group id's for ,no sockets allowed, no server sockets allowed, no client sockets allowed and trusted path. Trusted path for example refuses to run anything that isn't run from a proper install directory.

eg:
-rwx------ 1 pharmsen pharmsen 6661 2007-07-17 17:30 3

pharmsen@cornucopia:~$ ./3
bash: ./3: Permission denied
pharmsen@cornucopia:~$ chmod +x 3
pharmsen@cornucopia:~$ ./3
bash: ./3: Permission denied

My mother for example probably never will compile and run her own programs and neither will a lot of other generall users.

Once you have set the group ID's you can populate them with kuser or 'gnome Users and Groups'

Adding root to the "no socks" group would prevent apt or any app run as root connecting to the net. there's perhaps no direct need for the "man" (manual) user to have an network connection.Neither does the average user account have to run server applications so you could add your user account to the "no server" group just to prevent the average user from running them altogether.

In my opinion the problem with UAC is it gives the average user to much to handle. Instead a generall default policy after the initial install of Vista would
safe a lot of users the nasty and perhaps obsolete questions and might benefit security a little more.Power users can still tweak the settings until the system is rendered useless:-)

What language are you speaking, man?

What language are you speaking, man?

Native Dutch, i know my english sucks :-)

"but they might have invented the concept of using an Administrative or equivalent account to perform everyday tasks (and I wonder if they've patented this). "

this has been around for decades if not more. it's called Sudo. All the linux distributions I have used, log you in as a normal user, and when you need to do something as root, it will prompt to enter a password, and then you ran the particular program as the root account, or you can also manually run the program as root.

Patents are dumb

and in xp/200 you have this too. it's called runas.exe and people should me made aware of it. really.. use it. it's not hard. rightclick (sometimes with shift or ctrl) also shows the runas if you are a normal user.

nt has a very good security mechanism (altough a bit complex), but due to the insane defaults windows is extremely insecure. windows can be better protected than unix (using acl, rules for executing programs etc etc) but because this is also a lot more complex and has bad default values nobody does it. and as a result windows is more insecure in practice.

no sh%t I was responding to the fact that the previous post said Microsoft invented it, and they have/should file a patent,which would be completely ridiculous ( but they probably have filed a patent for it, and got it) Microsoft never comes up with anything original, they just copy ideas off of other people

It's amusing how, no matter what technology people speak of, Unix retroactively did it first.

That is not the same as logging in as administrator or equivalent in Windows, with sudo, the user is given administrative rights after providing proof that they are who they say they are, when running as administrator in windows, whatever happens, happens, no prompts, no hassles, no security.

very true. a good closing sentence.

There is a billion dollar industry in the exploitation of users. There is also a billion dollar industry in security software.

Neither of these is going to disappear overnight, as much as Microsoft would like that.

Actually, it is a symbiotic relationship. I don't think Microsoft wants 3rd-party ISV's to go away. It is the strength of the Windows platform (from a marketing standpoint) that there is so much software out there that runs on Windows. They want to always encourage ISV's, and they have provided great development tools for them to create Windows-only software. That is why Microsoft walks a fine line. They often want to make products in new software channels (e.g., security software), and yet for the sake of Windows platform dominance, they must not crush all competitors. It's a tricky business.

I think the point he was trying to make was that, in a perfect world, no company would try to bilk users by installing spyware/malware on their machines, and thus there would be neither an exploitation industry nor a security industry.

You're right about that - like I said to a mate a few days ago, if an alternative platform like Solaris had equal hardware support and availability of software of Windows, no one would be running Windows. People are wedded to Windows by virtue of the applications they need and hardware they use.

You're right about that fine line; they can make their operating system as secure as possible, but security software will be needed; if they fail to provide it they're slammed, if they provide it they're slammed for trying to kill off competition (whilst these detractors completely ignore the fact that the end user must actually choose to purchase the software - but never let facts get in the way of a good anti-Microsoft rant).

Microsoft has to walk the fine line of implementing security and maintaining backwards compatibility; if they implement it and break compatibility they're slammed, if they maintain backwards compatibility they have to make compromises.

I think people here need to realise that its a whole lot more complex - what I do hope is that with virtualisation, the ability to have a more secure desktop will be possible.

Relying on the end user to be the deciding factor on security isn't a real good idea in my opinion. I don't know any better way, but this way simply can't be the best way.

It seems like at the moment MS is walking a tight rope between past installations (user has privileges to unwittingly infect/destroy his system) and Vista (user has to first agree to unwittingly infect/destroy his system).

The next logical step in my mind would be: user has privileges to do nothing but access/read user applications and update his own workspace. Application and system updates can only occur via a secure channel in a special system mode.

That would go a long way in preventing self-inflicted pain. Not sure if users would accept that (or pay for it) though.

edit: clarified.

Edited 2007-07-17 16:56

The real problem is how Windows apps were created for YEARS. Applications have had free reign of the computer, and were essentially running in "God-mode". This was despite the fact that Microsoft for years has been pushing developers to use user profile directories (c:documents and settingsuser...). I used to write a lot of applications that assumed they could write to the application directory. Things like this are unheard of in the Unixish world. These things are hard to change. Vista and UAC just point this out. Hopefully, applications will start following the rules and these dialogs should decrease in number. In a worse-case scenario though, people just turn UAC off. I've even read articles where this is the suggested course of action. No! No! No! They only chance Windows has to be even a little secure is for people to run in limitted-access accounts like people have been doing in the Unixish world for years. Othewise, abandon all hope ye who enter the Winders world!

They only chance Windows has to be even a little secure is for people to run in limitted-access accounts like people have been doing in the Unixish world for years. Othewise, abandon all hope ye who enter the Winders world!

Once again relying on the end user to do the right thing.

It's not just Microsoft though. When I first purchased zone alarm it hardly ever asked me for anything. Before I ceased use of it I was getting pop-up after pop-up. At some point I just started ignoring them and hitting OK, like so many others. The only difference between me and the average user is that I much more careful about were I surf and what programs I install, but that doesn't mean I'm safe.

As others have pointed out the truly weakest link in computer security is the end user. Relying on them to do the right thing is just a bad idea.

"

"

Couldn't agree more. Microsoft's "well nag you to avoid running cr@p" style of system protection is madness.

It's like your mother whinging on at you that if you keep climing trees you'll keep falling off. Her whinging never stopped me climing trees (and neither did the falling off lol). The only thing that stopped me was the bulldozers that ripped the trees up to build new houses.

You do realise that a good number of Microsoft applications, such as Visual Studio, are not 'limited user' compliant.

I find it funny when Microsoft is angry about compatibility issues between applications and their operating system, and yet, they do very little to ensure that when they ship their operating system their own software actually works as it should.

The problem is that they made compromises in Windows 2000 (which was meant to be the replacement for the 9x line) and Windows XP; they refused to put their foot down and say, "this is the bar, get your applications to this standard - we won't compromise out product quality for your compatibility".

"You do realise that a good number of Microsoft applications, such as Visual Studio, are not 'limited user' compliant. "

This is not true, I run Visual Studio 2002 and 2005 as a limited user every day, there is nothing to it. The only thing I had to do was when doing web development, I had to define the url in the .NET configuration as trusted. Any other MS apps that need Admin (some tools do) you use runas.

Given that 2002 isn't supported by Microsoft and 2005 just recently received an update which corrected issues with UAC, what I said is true - SP1 for Visual studio was released 30/06/2007

Also, look through http://connect.microsoft.com/VisualStudio/content/content.aspx?Cont... at the number of bugs related to Windows Vista.

Oh, and when you run something like 'run as' it is a failure; if your application needs to have administration privileges, there is something *very* wrong.

Microsoft did not think of the correct approach, methinks. They tried to imitate Unix, with user/administrator accounts, home folders etc. That would not work, and it hasn't work, as Vista proves.

What Microsoft should have done is to virtualize the O/S for each user, i.e. applications should be able to see the whole O/S, but in reality each user would have his own version of the O/S, not affecting the other users. Files would be shared by all users, until modified, i.e. use the copy-on-write technique on files, so as that each user maintains his own consistent view of the operating system.

...or your firewall doesn't work correctly, or it has holes, or you don't realise that your web browser has exploit issues, or...

..or your firewall doesn't work correctly, or it has holes, or you don't realise that your web browser has exploit issues, or...

Install a hardware router, double check to make sure nothing is in the DMZ and run an alternate browser like Firefox. You can have quite a safe and clean experience on windows with that combo.

You can buy into all the FUD and load up on anti-virus, software firewalls, malware scanners etc. etc and attempt to have a nice time while your once fast machine grinds to a halt.

I wonder if an article about the habits of secure computer users would be a good article for OSNews?

They should stage a security TV competition show where the best user/box tandems in terms of efficiency (defined as usability divided by efforts) are rewarded some nice prizes.
And I'll be there with my eCS box.

"But they don't prevent any ID-Theft Trojans, which use the Internet Explorer API to call back home to steal your cookies, your Thunderbird/Firefox/IE Passwords/Saved Forms and so on."

No, that's what IE protected mode is for. Vista security is not all UAC you know.

surf with k-meleon (a browser not many uses thus exploiting intrest hasnt raised against it yet)

I hate to disapoint you but k-meleon uses the mozilla rendering engine :-)