#351414 - 09/04/2012 01:48
Re: Internet security software
[Re: hybrid8]
|
carpal tunnel
Registered: 08/03/2000
Posts: 12338
Loc: Sterling, VA
|
Avast is fine, though I've seen it bog a couple systems down, and it's more in the user's face in my experience. But whatever gets people away from Norton or McAfee is fine with me.
_________________________
Matt
|
Top
|
|
|
|
#351537 - 14/04/2012 12:03
Re: Internet security software
[Re: tanstaafl.]
|
enthusiast
Registered: 06/08/2002
Posts: 333
Loc: The Pilbara, Western Australia
|
...I just remember to renew it before the renewal notices start.
I did that too until I found that instead of adding another year to the subscription, it changed the next renewal date to 12 months after the date I renewed so I kept losing a few weeks subscription each time. Now I just wait until it bugs SWMBO and she bugs me, then renew it the day before it expires .
_________________________
Peter.
"I spent 90% of my money on women, drink and fast cars. The rest I wasted." - George Best
|
Top
|
|
|
|
#351556 - 16/04/2012 01:20
Re: Internet security software
[Re: Dignan]
|
carpal tunnel
Registered: 08/06/1999
Posts: 7868
|
Don't buy anything, just install Microsoft Security Essentials. It's the most lightweight program I've found for this sort of thing, and it gets high marks from every report I've seen on the subject. This is all I do if I'm forced to install something when in Windows land. Paying for security software always felt like paying mob protection money. Now, queue the many people on this board who don't think you need antivirus. If I was a day to day Windows user today, I would have something installed. Over a decade ago, yeah, I didn't feel the need for virus protection. Most back then either exploited Windows machines directly connected to the internet (not behind a router/NAT/firewall setup), or were the trojans from the bad parts of the internet. These days, the malware/viruses come from plenty of legitimate sources, either via an ad banner, or a site being hacked to inject the malware. Thankfully on OS X, Apple is staying on top of the issue for the most part. They were a bit slow to address the vulnerability in Java, but have now responded with not only a patch, but also a cleaner for anyone infected. Turns out, none of my systems were vulnerable anyway, but good to see the response. Same thing happened with the last trojan spread malware, Apple just built the cleaning/detection into the OS behind the scenes. So far nothing targeting the Mac has hit rootkit like levels. If it does, then maybe I'll consider realtime security software. The modern Linux threat seems to be from having a repository compromised. It's happened a few times, but the damage seems to be pretty minimal before someone notices. Or just installing a completely untrusted distribution, such as the recent "Anonymous Linux".
|
Top
|
|
|
|
#351567 - 16/04/2012 16:24
Re: Internet security software
[Re: drakino]
|
carpal tunnel
Registered: 25/12/2000
Posts: 16706
Loc: Raleigh, NC US
|
Kaspersky estimated 600,000 infected systems. That's pretty significant.
_________________________
Bitt Faulk
|
Top
|
|
|
|
#351568 - 16/04/2012 16:46
Re: Internet security software
[Re: wfaulk]
|
carpal tunnel
Registered: 08/06/1999
Posts: 7868
|
Yeah, not downplaying the significance of it. Just not personally worried by it enough to run around and panic (I was immune since the malware checked for XCode, and wouldn't install if it saw it). The estimate is that 600,000 represents roughly 1% of the estimated active user base, which percentage wise is larger then the 0.7% Conficker hit on the Windows side. It's been a constant issue on Windows for, well, decades. Much more reason for proper panic there
|
Top
|
|
|
|
#351573 - 16/04/2012 20:16
Re: Internet security software
[Re: drakino]
|
carpal tunnel
Registered: 08/03/2000
Posts: 12338
Loc: Sterling, VA
|
Yeah, not downplaying the significance of it. Just not personally worried by it enough to run around and panic (I was immune since the malware checked for XCode, and wouldn't install if it saw it). The estimate is that 600,000 represents roughly 1% of the estimated active user base, which percentage wise is larger then the 0.7% Conficker hit on the Windows side. It's been a constant issue on Windows for, well, decades. Much more reason for proper panic there I wouldn't say you have to worry about this particular threat. Rather, I'd worry that Macs are finally reaching the point where it's worth it for virus creators to target this large untapped market.
_________________________
Matt
|
Top
|
|
|
|
#351574 - 16/04/2012 20:18
Re: Internet security software
[Re: Dignan]
|
carpal tunnel
Registered: 25/12/2000
Posts: 16706
Loc: Raleigh, NC US
|
It's also worth pointing out that this wasn't a virus or worm, but a trojan. It still required that people type in their passwords. (It pretended to be an update to Flash.)
_________________________
Bitt Faulk
|
Top
|
|
|
|
#351582 - 16/04/2012 23:32
Re: Internet security software
[Re: wfaulk]
|
carpal tunnel
Registered: 08/07/1999
Posts: 5549
Loc: Ajijic, Mexico
|
It's also worth pointing out that this wasn't a virus or worm, but a trojan. It still required that people type in their passwords. (It pretended to be an update to Flash.) Ummm... "However, this latest version of Flashfake does not require any user-interaction and is installed via a “drive-by download,” which occurs when victims unwittingly visit infected websites, allowing the Trojan to be downloaded directly onto their computers through the Java vulnerabilities"tanstaafl.
_________________________
"There Ain't No Such Thing As A Free Lunch"
|
Top
|
|
|
|
#351611 - 17/04/2012 13:36
Re: Internet security software
[Re: tanstaafl.]
|
carpal tunnel
Registered: 25/12/2000
Posts: 16706
Loc: Raleigh, NC US
|
I stand corrected.
_________________________
Bitt Faulk
|
Top
|
|
|
|
#351616 - 17/04/2012 14:38
Re: Internet security software
[Re: wfaulk]
|
carpal tunnel
Registered: 08/06/1999
Posts: 7868
|
What is the proper classification of a browser (or plugin) based drive by exploit? It still requires user intervention to be installed, but no need for the user to manually bypass security. I've personally never referred to these as proper viruses.
It should be noted that Java is not installed by default on OS X 10.7, and is removed if a user upgrades from 10.6 to 10.7. Apple did add a dialog to install it on first use. If the user ran just a normal Java application, the web portion isn't enabled. If a user browses first to a Java web page, they would have to manually click the little box where the Java applet was embedded to then get the install dialog. Makes me wonder how many of the infected installed Java for the first time just for the malware, compared to actually using Java prior to it.
For Matt, marketshare is likely part, but not the complete picture. History has lots of examples of the smaller marketshare systems being exploited like crazy (such as the real, proper self spreading virus problem classic Mac OS had), or systems that have a commanding marketshare without too many issues (Linux servers). Malware is evolving over the ages too, initially just being destructive for no good reason. Now it's mostly interested in turning a machine into a participant of a bot network used for spamming or other activities that can be bought and sold on the black market. Or stealing personal data to be resold in some form, including MMO logins to sell off their virtual currency.
It helps that OS X's core is a pretty battle hardened Unix variant. Multi user operating systems demand security like features more then single user systems (Classic Mac OS and Windows, and to some extent NT on the desktop with XP,Vista,7), due to the nature of also needing to ensure one user couldn't impact another back in the mainframe days. Modern single user systems (iOS/Android) still benefit a bit from their Unix like heritage, and choose to add more security from day one with code signing and other technologies to help minimize the risk.
|
Top
|
|
|
|
#351619 - 17/04/2012 15:09
Re: Internet security software
[Re: drakino]
|
carpal tunnel
Registered: 25/12/2000
Posts: 16706
Loc: Raleigh, NC US
|
It's not self-propagating, so it can't be called a virus or a worm.
It's not remotely initiatable, so you can't really think of it as an automatedly run remote exploit.
SANS defines a trojan horse as "A computer program that appears to have a useful function, but also has a hidden and potentially malicious function that evades security mechanisms, sometimes by exploiting legitimate authorizations of a system entity that invokes the program."
To me, Flashback falls in this category. Flashback is part of a program that appears to have a useful function: Java. (No jokes about whether or not Java actually or only appears to have a useful function.) It could also be considered part of the web browser being used. It clearly matches the other parts of the definition.
There are obviously some leaps of logic in that argument, though.
_________________________
Bitt Faulk
|
Top
|
|
|
|
#351631 - 18/04/2012 00:28
Re: Internet security software
[Re: Dignan]
|
carpal tunnel
Registered: 18/06/2001
Posts: 2504
Loc: Roma, Italy
|
I wouldn't say you have to worry about this particular threat. Rather, I'd worry that Macs are finally reaching the point where it's worth it for virus creators to target this large untapped market. Agreed. And the bad thing is that Apple decided to build on this silly idea of a "safer" system, which is not inherently true, and now many unaware users will pay the price for it. Not that this surprises me a bit, honestly, and I've been expecting this time to come for a while given the increasing market share of OSX. The thing is, at work we all expect more and more users to crowd our tech support offices, and that's going to be a lot of work and resources to be organized, and a lot of money. And it is going to be the same in many organizations with an expanding OSX userbase. Thank you Apple for telling all these people they can be safe and they don't need any AV product. Is there going to be another "I'm a Mac-I'm a PC" commercial series where the sneezing guy with the cold is the young and cool one, now? That would be less smug and more responsible, for once.
_________________________
= Taym = MK2a #040103216 * 100Gb *All/Colors* Radio * 3.0a11 * Hijack = taympeg
|
Top
|
|
|
|
#351633 - 18/04/2012 02:23
Re: Internet security software
[Re: Taym]
|
carpal tunnel
Registered: 08/06/1999
Posts: 7868
|
Agreed. And the bad thing is that Apple decided to build on this silly idea of a "safer" system, which is not inherently true, and now many unaware users will pay the price for it. Not that this surprises me a bit, honestly, and I've been expecting this time to come for a while given the increasing market share of OSX. This is what I don't understand. One semi major incident means that OS X instantly loses the safer title? While Windows has been a security nightmare for ages and only has recently begun to improve? I want to say there is a specific term for this, but can't name it currently. It took Microsoft decades to respond to their glaring virus issue with a free product (Microsoft Security Essentials still not installed by default and Windows Defender which is). Apple on the other hand responds within weeks to clean up any mess on their side. Including the effort when trojans first started appearing on OS X to build in a new security feature akin to Windows Defender. Call it smug if you want, but I think Apple has every right to still promote their desktop system as a safer alternative to Windows. Not only due to the pure numbers of security issues on both sides, but also because they were more responsible then their competitor every time an incident has occurred. If you go back and look at Apple's claims, they never said virus proof, or any sort of similar language. Their direct claim was that their platform didn't suffer the same sorts of problems that Windows did. Yes, the echo chamber and fanboys turned it into virus proof, but that is not Apple speaking. http://www.youtube.com/watch?v=GQb_Q8WRL_g
|
Top
|
|
|
|
#351634 - 18/04/2012 04:38
Re: Internet security software
[Re: drakino]
|
carpal tunnel
Registered: 27/06/1999
Posts: 7058
Loc: Pittsburgh, PA
|
I'm a strong advocate for OS X as a desktop OS, but it's worth pointing out that OS X was really late to the party in having a half-decent ASLR implementation, and has earned much of its reputation for security by being a smaller target in terms of market share. I'm not saying Windows 7 is more secure if you control for the market share effect, but I bet it's closer than most people think, and most of Apple's gains came from the most recent 10.7 Lion release, while the claims about being more secure were made when OS X was still vulnerable to many classes of attacks that other OSes solved many years prior. (Of course I'd rather get pwned and restore from Time Machine several times a day than use Windows or any Linux distro as my main desktop machine.)
Given how long it took Apple to issue a patch for this very prominent exploit, I think they'd be in trouble if OS X were suddenly on 80-90% of all desktops tomorrow.
|
Top
|
|
|
|
#351636 - 18/04/2012 06:16
Re: Internet security software
[Re: tonyc]
|
carpal tunnel
Registered: 13/07/2000
Posts: 4180
Loc: Cambridge, England
|
Given how long it took Apple to issue a patch for this very prominent exploit The normal Apple "technique", of not saying a thing until they have a fully-fledged solution, is always going to look irresponsible when applied to security issues. It's the way Microsoft behaved before they realised they had a security problem. Peter
|
Top
|
|
|
|
#351641 - 18/04/2012 13:22
Re: Internet security software
[Re: drakino]
|
carpal tunnel
Registered: 18/06/2001
Posts: 2504
Loc: Roma, Italy
|
This is what I don't understand. One semi major incident means that OS X instantly loses the safer title? [...] If you go back and look at Apple's claims, they never said virus proof, or any sort of similar language. Their direct claim was that their platform didn't suffer the same sorts of problems that Windows did. - Current OSX is not >inherently<, per se, a safer OS than any competitor. It is simply benefiting from not having been targeted as much. And this is not to say that Windows/Linux/whatever "are better" than OSX or viceversa, or to foster any specific fandom point of view. Both statemets would be wrong unless you narrow them down significantly to focus on specific features or paradigms, and highly subject to personal preferences. And even more so, this is not saying that the producer overall as a corporation is better than another corporation overall. In what way would it make sense? The fact is that OSs come with bugs, and their users are not from different breeds: they all can be fooled. - Until today Apple has deliberately and openly fueled with clear and effective advertising the popular myth according to which Apple products "don't get viruses" (whatever that actually means in technical terms). The "I am a PC-I am a Mac" commercial you linked is as irresponsible as it gets. It does not elaborate, explain, or put any disclaimer on screen. It actually makes many users feel safe when they're not. The target audience of that commercial is not the tech savvy, and the message anybody w/o advanced/average IT knowledge gets is that a PC sneezes while the Mac does not and is not scared to stand next to it. The fact that they have not precisely stated that Macs are invulnerable to virues is at the same time true and a devil's advocate's argument to defend Apple. Apple can make mistakes, both technical and ethical, like any other company. And like any other company, they actually do make them every now and then.
_________________________
= Taym = MK2a #040103216 * 100Gb *All/Colors* Radio * 3.0a11 * Hijack = taympeg
|
Top
|
|
|
|
#351645 - 18/04/2012 16:06
Re: Internet security software
[Re: Taym]
|
carpal tunnel
Registered: 25/12/2000
Posts: 16706
Loc: Raleigh, NC US
|
Current OSX is not >inherently<, per se, a safer OS than any competitor Yes, it is. It's designed from the ground up to be a multiuser system with privilege separation. Windows is still dealing with cruft, both technical and psychological, from its single-user days. It's a little better now than it used to be, but not a lot.
_________________________
Bitt Faulk
|
Top
|
|
|
|
#351649 - 18/04/2012 17:01
Re: Internet security software
[Re: wfaulk]
|
carpal tunnel
Registered: 29/08/2000
Posts: 14493
Loc: Canada
|
My biggest beef with "Windows Security" (if such a thing exists) is that the system and applications all have this mindset where they like to automatically find and run random programs. Regardless of the under-the-hood heritage, that kind of behaviour is just begging for infection.
For most personal systems and products, I feel that security is way overdone in general, making systems harder to use than they need to be. Most of that could go away if apps would simply stop including loopholes to automatically run code they find in attachments, documents, websites, and/or inserted media.
Cheers
|
Top
|
|
|
|
#351654 - 18/04/2012 19:15
Re: Internet security software
[Re: wfaulk]
|
carpal tunnel
Registered: 18/06/2001
Posts: 2504
Loc: Roma, Italy
|
Yes, it is. It's designed from the ground up to be a multiuser system with privilege separation. Windows is still dealing with cruft, both technical and psychological, from its single-user days. It's a little better now than it used to be, but not a lot. Assuming this is true, this would not be a valid reason to consider Windows a less secure OS than OSX. Security depends on much more than that. But, in any case, is it true? 1. When has Winodws NT3.5, 4.0, 2000, XP, Vista, 7, been single user? Windows 3.x, 95, Millennium are a >different< OS, starting from Kernel up. 2. Would you please provide or point me to any official paper, tech specification, factual technical evidence that supports your statement? And, please undertsand I am not referring to historical data. I am referring to Windows 7 vs OSX in their respective latest versions. Please, understand I don't mean to disagree with you or challenge your statement for the sake of it, or prove you wrong. I don't have an opinion myself on that (Windows 7 and OSX inherent technical security) nor >>real<< data, in spite of the hundreds of articles and opinions one reads here and there in years, to support any specific view. I just want to separate generic personal appreication for this or that product from from facts, and since you are a very strong supporter of one of the two platforms, I am honestly curious to understand exactly what you are referring to. See, in the last 10 years I've seen, on the field, hundreds of Windows machines in public locations in our organization used by hundred of users per day, and I have real stats on that. Never a machine was infected by malware or viruses beyond the boudaries of the user environment, never the OS was compromised, and we don't reinstall the OS for years (3 to 5, which is simply the life-cycle of the hardware), and never because it "naturally slows down" as the common popular belief would suggest: never we've seen performances decrease because of simple, standard daily usage by a very wide range of different users, ranging from complete user illiterates to fairly advanced ones, all with everage/high level of education. I mean: never. So, see, while my experience would 100% support the idea that Windows by default puts uses in the condition to do a lot of damage still today, that does not at all reflect what the OS is technically capable of and how safe it inherently, thechnically, is. And actusally, all this is based on the 11-year-old Windows XP. In any case, any additional info is useful and welcome.
_________________________
= Taym = MK2a #040103216 * 100Gb *All/Colors* Radio * 3.0a11 * Hijack = taympeg
|
Top
|
|
|
|
#351655 - 18/04/2012 19:38
Re: Internet security software
[Re: Taym]
|
carpal tunnel
Registered: 10/06/1999
Posts: 5916
Loc: Wivenhoe, Essex, UK
|
Yes NT3.5/NT4/Win2k/WinXP were all technically multi user. However, to actually use them as a typical non corporate user, you pretty were pretty much guaranteed to be logged in as a user with admin permissions. This was because for a long time Microsoft made little effort to make things easy for an end user to get things done logged in as a non admin user. They tried to improve this in Vista and made a mess of it, thankfully in Win7 that got a lot better*. Things were even worse for developers, I still have to run Visual Studio as admin to do a lot of things (though they are fast reducing that list of things now). * though it still doesn't really solve the problem for non technical users. There is a horrible irony where browsers and other Internet facing apps need to update themselves to keep the user safe, but to do so they need to ask the user for admin permissions if the user isn't logged in as an admin. To the uneducated user of course one dialog looks much like any other, meaning they can never tell a real update from something malicious also asking for admin rights. All of which leads to my mother emailing me screenshots of update dialogs on a weekly basis, asking if it is safe to press OK
_________________________
Remind me to change my signature to something more interesting someday
|
Top
|
|
|
|
#351656 - 18/04/2012 19:57
Re: Internet security software
[Re: Taym]
|
carpal tunnel
Registered: 10/06/1999
Posts: 5916
Loc: Wivenhoe, Essex, UK
|
never the OS was compromised, and we don't reinstall the OS for years (3 to 5, which is simply the life-cycle of the hardware), and never because it "naturally slows down" as the common popular belief would suggest: never we've seen performances decrease because of simple, standard daily usage by a very wide range of different users, ranging from complete user illiterates to fairly advanced ones, all with everage/high level of education.
Unfortunately that completely fails as soon as an end user owns a Windows machine. I've never quite worked out why, but most of my friends can turn a perfectly ok Windows machine into a slow bloated thing within 12 months. They never seem to have installed anything particularly interesting, but whatever it is it slows them down. Occasionally I can track down what is dragging it down and improve matters. But I'm afraid most of the time my advice has to be reinstall the lot. This has never really been my experience with my own Windows machines, but just about every non techie friend I know has the same effect on their Windows machine in the end. For what it is worth, I think Win7 is a better than OSX. I now use OSX as my daily OS, but that is only because I think the Apple hardware is the best you can buy. For me OSX is still not as stable as Windows (I can count on one hand the number of blue screens of death I've had since WinXP arrived). I can't say the same about kernel panics on OSX If I wasn't for Chrome and VirtualBox I'd probably be booting this MacBook into Win7 rather than running OSX And that isn't to say there aren't lots of good things about OSX, but it does get some very basic things horribly wrong. Like window management and Finder for a start.
_________________________
Remind me to change my signature to something more interesting someday
|
Top
|
|
|
|
#351658 - 18/04/2012 21:19
Re: Internet security software
[Re: andy]
|
carpal tunnel
Registered: 18/06/2001
Posts: 2504
Loc: Roma, Italy
|
Unfortunately that completely fails as soon as an end user owns a Windows machine. I've never quite worked out why, but most of my friends can turn a perfectly ok Windows machine into a slow bloated thing within 12 months. Andy, agreed on all accounts. This has been my experience too, approximately. We also distribute more or less 3000 Lenovo window-based laptops and 1000 OSX-based laptops to our users. They come with a standard software endowement, but users are admins on these machines and can change the configuration as they want. Data I have and my direct experience tell me that: 1. Non techie users will most likely slow down their windows machine. Causes for this, accounting for almost 95% of all cases, are, however, known, at least as far as we experienced, and they are: a. Insufficient amt of RAM to accomodate all running tasks that users end up having after installing a significant amt of software; c. poorly designed software keeping power or RAM hungry processes always running; d. Concurrent AV software some users install w/o knowing they should not install more than one at the same time. And then, of course: e. Virus/malware, which ends up being part of c., above, if you wish; f. Hardware issues (n1 one being by far HDD damages, followed by faulty RAM modules) that cause the PC to look unresponsive for some time, and occasionally crash. That is also what users report as "slow" machine. Interestingly: 1. Apple hardware is as reliable as the best Lenovo we have. Not better than it, though. Some Lenovo lines, such as the Edge family, seems a bit more delicate than the other more "corporate" lines. Faulty screens, keyboards, touchpads, batteries, PSUs, ram modules, occur just as often with Lenovo and Apple. But, my guess is that this is the best market has to offer and other brands would not perform as well. Interestingly, I can't seem to notice any worsening of quality since the transition from IBM to Lenovo, so far. 2. We do seem to have quite a few older Apple laptops (two years old, since we would not distribute Apple before then) who are brought to tech support because they are "slow". I do not recall fgures though, nor the identified causes for that. My best guess though would make me think the reasons are the same as for Windows machines, except for virus/malware. Which is, unfortunately, going to change and if we don't succeed in providing some basic education to non-experienced users, it is possibly getting bad. For what it is worth, I think Win7 is a better than OSX. I now use OSX as my daily OS, but that is only because I think the Apple hardware is the best you can buy. For me OSX is still not as stable as Windows (I can count on one hand the number of blue screens of death I've had since WinXP arrived). I can't say the same about kernel panics on OSX I tried OSX as my main laptop experience and reverted to Windows 7 mostly because I never fully adapted to the different paradigm and got tired of being less productive than with Win7 without any actual gain. I consider this a personal thing and not objectively a limit of the OS itself, but I very much relate to your comments on Finder and window management in general. I did not use OSX as main OS long enough to speak from my experience directly, but it is true that we (well, not me in particular, but I get that info and sometimes get to play with those machines if I have time) see daily OSX laptops crashing and hanging. Users and the way these machines are physically treated (bad!) do play a role in that. All this just to bring my personal experience. Not at all meaning anything in principle against or in favor of OSX, which, however, overall, I like.
_________________________
= Taym = MK2a #040103216 * 100Gb *All/Colors* Radio * 3.0a11 * Hijack = taympeg
|
Top
|
|
|
|
#351660 - 18/04/2012 22:35
Re: Internet security software
[Re: Taym]
|
carpal tunnel
Registered: 12/11/2001
Posts: 7738
Loc: Toronto, CANADA
|
For Mac OS X, just install Path Finder and forget about the default Finder. It's much much better than Explorer in Windows with a lot more features/power. Needless to say it clearly makes Finder look like what it is, basic (and getting crappier with every OS update). The unfortunate thing about Mac OS X is that with every new release while a few positive features are added, a lot is getting worse. The default software is getting a lot more buggy, features are not properly conceived and developed and fixes are not being propagated to older hardware because the model cut-off is moving up rapidly. Mac OS 10.7 Lion is the worst OS Apple has shipped since 2003, IMO. Prior to that Mac OS wasn't worth even considering as a primary OS.
|
Top
|
|
|
|
#351675 - 19/04/2012 16:44
Re: Internet security software
[Re: Taym]
|
carpal tunnel
Registered: 25/12/2000
Posts: 16706
Loc: Raleigh, NC US
|
When has Winodws NT3.5, 4.0, 2000, XP, Vista, 7, been single user? Look at the default file permissions on %SystemRoot% on most of those OSes. It's pretty much wide open; any user can screw with any of those files. (This seems to no longer be the case under Win7/2k8, and it was a little better under 2k3, where only "Power Users" could screw with those files.) Part of that had to do with the fact that the OS would install on a FAT filesystem and convert it to NTFS. That said, there's a fundamental architectural difference, in that the privilege separation available in Windows is an afterthought and not built into the design of the system. Many experts agree with me and can speak about it much better than I can. Just google for "windows privilege separation". Here are a couple of good articles: " The Importance of Privilege Separation", " Bolted-on security features aren't secure". It's also worth noting that Microsoft's resolution to security holes in the OS was not to fix those security holes, but just to implement a firewall. Not that there's anything wrong with a firewall, other than it kind of keeps you from remotely accessing the computer, and if you have to expose one of the exploitable services, it does no good. Also, if you look at security fixes for other OSes, they largely amount to coding mistakes and are usually easily fixable because the change won't affect anything that's not trying to exploit it. On the other hand, Windows security fixes frequently break existing functions because they've had to rearchitect the offending code. (This is obviously a generalization, but it tends to be true.) The other, and perhaps bigger, problem is that generations of Windows users have gotten used to being able to do whatever they want on their computers without being bothered with security. There were a lot of problems with Vista, but the one thing that got the most complaints was the intrusiveness of its UAC. And that was potentially the one thing it got right. Regardless, it's a psychological problem. Windows users are irritated when they have to deal with privilege separation, and Microsoft kowtowed to them by scaling back UAC significantly under Windows 7. That said, if they hadn't, people would have just turned UAC off. (In fact, they did, and they still do.) And the fact that you can turn UAC off is just another example of how superficial Windows' privilege separation is. It just proves that you're allowed to do anything on the computer unless UAC recognizes that you're not supposed to. It's effectively a default-allow policy instead of a default-deny one.
_________________________
Bitt Faulk
|
Top
|
|
|
|
#351689 - 19/04/2012 21:33
Re: Internet security software
[Re: wfaulk]
|
carpal tunnel
Registered: 13/02/2002
Posts: 3212
Loc: Portland, OR
|
Windows users are irritated when they have to deal with privilege separation, and Microsoft kowtowed to them by scaling back UAC significantly under Windows 7. That said, if they hadn't, people would have just turned UAC off. (In fact, they did, and they still do.) Yep. And I'm one of 'em. Turned the damned thing off, as soon as I could. And I'm a veteran Linux user who quite happily uses a non-privileged account, reserving sudo usage for the appropriate tasks. But, in fairness, I know I can do so safely, because I run Win7 in a virtual machine, and only for testing purposes. No email, no web-surfing, etc. Heck... I don't even have it connected up to our domain.
|
Top
|
|
|
|
#352089 - 11/05/2012 11:24
Re: Internet security software
[Re: wfaulk]
|
carpal tunnel
Registered: 18/06/2001
Posts: 2504
Loc: Roma, Italy
|
When has Winodws NT3.5, 4.0, 2000, XP, Vista, 7, been single user? Look at the default file permissions on %SystemRoot% on most of those OSes. It's pretty much wide open; [...](This seems to no longer be the case under Win7/2k8 That's my point. No longer the case. Leaving aside that a bit of work even on the 10-year-old Windows XP would secure the machine very well (which included changing permissions to %SystemRoot%, which we used to do) - provided some basic maintenance (App upgrades, mostlyu, as OS upgrades are typicaly scheduled and automatic -, today the problem you mention is just not there any longer. Which is why I don't consider Windows inherently less secure in this respect. That said, there's a fundamental architectural difference, in that the privilege separation available in Windows is an afterthought and not built into the design of the system. Assuming this is true, how is this speaking about how secure Windows is today? An afterthought does not necessarily mean "poor implementation". There have been excellent cases of afterthoughts in history of IT, and technology in general. That's why I was asking for facts (papers, tech documentation) that shows where this inherent lack of security is. Many experts agree with me And many others don't. Again, please don't think I am trying to prove you wrong. What I am saying is that as far as I am concerned there really is no final word, there; security of various current OSs in the market has been constantly increasing over time, and at each new release, version, patch, if we could scientifically and factually measure security, the winner cup would shift from one hand to the other continuously. Claiming that Windows (or OSX, or Linux) is a "more/less secure" OS in such general terms, maybe just because of that OS specific history, or because we "like it better", is just not convincing at all, to me. As to: http://sec.apotheon.org/articles/the-importance-of-privilege-separationThat article contatins opinions at most. Information on Windows is just wrong or inaccurate, possibly referring to the other DOS-Based Winodows (95/98/ME) which has nothing to do with current Windows and its predecessors (7/Vista/XP/2000/NT4.0). Mostly, it is all but factual. Same goes for http://www.techrepublic.com/blog/security/bolted-on-security-features-arent-secure/376 , which clearly claims (again with not facts) that Windows evolved for DOS, so clearly the guy is referring to the other Windows, not the one most people use in 2012. And again, not factual. And they're both so old that the authors, clearly ignoring most basic facts of Windows in those years, would not even imagine what the years-to-come Windows 7 would be. It's also worth noting that Microsoft's resolution to security holes in the OS was not to fix those security holes, but just to implement a firewall. Not that there's anything wrong with a firewall What makes you say that? I see hundreds of hotfixes every year that do exactly that: fixing. And they have nothing to do with the firewall. And, they don't break any existing code. Again, for years, we've adopted various update strategies, in various departments. Some machines (hundreds) where updated right away upon release, others were updated via the internal WU server after test and approvals by us. In either case, very, very few cases of incompatibility came up. Maybe 2 or 3 in 10 years. And with specific old applications. Saying that Microsoft updates "break" existing code is in my experience just a popular myth. But again: do we have any >>stat<< from a third party analyst that shows with actual data how MS updates broke existing code more or less frequently than any competitor, if there's any: MS Update service is possibly the largest and most complex in the world (but still); and, in a specific timeframe, possibly in the last 5 years, just to look at data that has any relevance today? not that I know of, but any hint is welcome. The other, and perhaps bigger, problem is that generations of Windows users have gotten used to being able to do whatever they want on their computers without being bothered with security.
I agree on this, in these terms: I too think that Windows never successfully allowed generic user to work easily without using the Admin account. But thechnically it has always been possible and doable, in the past with most applications, today with virtually ALL current apps. And it was done, and it is being done, every day, successfully. Still, doing any such thing, in the past more than today, would require a more experienced user, at times a professional, to prepare the machine properly. Nothing that the average user would be able to. So, in homes, all use Windows as an Admin. But this is why I do not consider this an >inherent< lack of security of the OS, but rather a User Experience Design fault. But this is just how we define "inherent", I suppose, so maybe I am wrong in the meaning I assign to the word itself. Today, I simply believe that it is possible that Windows 7 64bits patched few days ago and OSX Lion patched and updated as well are one more secure than the other. And, whichever is the most secure, situation may change next month. One thing is sure, I think: we'll see more and more viruses and torjans for OSX as it is now popular enough.
_________________________
= Taym = MK2a #040103216 * 100Gb *All/Colors* Radio * 3.0a11 * Hijack = taympeg
|
Top
|
|
|
|
|
|