The problem is Active-X, not the OS. Anything running from the browser should be in a sandbox as it is with Java applications, the same is true for the email client. Active-X gives scripts running from the browser and the email client access to the entire machine in the name of functionality. In some cases users are prompte to authorize the installation of software when they get to a web page. Even when they choose "No," the software continues to install. Its a security hole big enough to drive a tank through. Mozilla is your friend. Curtis -- Curtis Maurand mailto:curtis@maurand.com http://www.maurand.com On Thu, 15 Jul 2004, Brett wrote:
----- First of all, even if OS have not any caveats, it will not protect it from spyware/adware. if I want to install my 'Cool-Search' into million of computers, all I need to do is to write fancy game, and offer it 'free of change' in exchange of 'Allow to show you ads once / day'. That's all - you will have everything installed explicitly. -----
Not necessarily true. Security/permissions plays a major part in the effectiveness of adware and spyware. A majority of consumer Windows OS's run with the default login as an admin user. When a user chooses to install "Cool-Search", their user rights allow for registry changes and alterations of system libraries, which cause ads to display when using IE.
Can this be prevented by running Windows as a non-privileged user, yes. But people want to install their "Cool-Search" and non-privileged users can't install anything.
When using OS's other than Windows, users can install their own binaries, but they do not have access to modify the system binaries. Then can still browse with the system wide Mozilla/whatever, but their actions will not have the ability to alter anything that will allow for ads to be served when browsing, or for browsing habits to be sent to a third party.
User information is still vulnerable, and the potential is still there, but a single user's infection/installation will generally not have the same impact on the system.
-b
On Wed, 14 Jul 2004 23:52:27 -0700, Alexei Roudnev <alex@relcom.net> wrote:
Ok, let.s return to reality (sorry for moving this thread into the OS related flame).
First of all, even if OS have not any caveats, it will not protect it from spyware/adware. if I want to install my 'Cool-Search' into million of computers, all I need to do is to write fancy game, and offer it 'free of change' in exchange of 'Allow to show you ads once / day'. That's all - you will have everything installed explicitly.
But 'hidden' installation makes it much more easy for spyware, and is (in general) a very big evil. System must distinguish between 'USER' mode (use applications but do not change system behavior) and 'INSTALL' mode (install/delete/add software, processes and so on). In many cases, system must ask password to do any such action. (If you know MS, you can image which nightmare is to implement it -- I worked with IDS such as Osiris and had a fun, guessing what system decide to change today. But it is not a problem in most other OS).
Second, but even worst, problem is absense of ANY system interface showing you, what is starting, stopping and running. It is not any problem to remove spyware, from common point of view - just open 'list of running processes' and 'Startup list' and uncheck everything you do not want to see. Problem - such interface does not exist, is not possible because of complexity (there are milluions ways of starting anything) and can not trace a history of processes (because of, again, extra complexity, unlimited usage of 'classes' and 'objects' and 'pluginns' and 'toolbars' and so on). Anyway, good 'change history' system could easily revert such changes back so that instead of very complex 'adaware' scaners we will have just 'change history, revert ?' button.
Third is more easy for ISP - if we can not fight with bad software, fight whith those who got a profit using it. For SPAM - ok, there is not ANY way to stop sending spam (fort now), but any SPAM advertices someone, and this someone is always 100% identified - so fight (limit, flood by calls, overload by false information, etc) SPAM benefitiants, learn them do not purchase 'We will send your advertice to 10M people over the world'. The same in case of adaware. For spyware, fight those who receive information back - by any way.
----- Original Message ----- From: "John Underhill" <stepnwlf@magma.ca> To: "Niels Bakker" <niels=nanog@bakker.net>; <nanog@merit.edu> Sent: Wednesday, July 14, 2004 1:12 PM Subject: Re: Spyware becomes increasingly malicious
Ok.. but has BSD been attacked on the scale that MS code has? I would
no, not even close. Do you believe BSD is invulnerable to attack? Hardly.. Unless you want to go back to text based browsers and kernals that fit on a floppy, it is extermely difficult to eliminate all vulnerabilities in the code of a sophisticated OS. The more complex the system, the easier it is to break, and with the level of automation currently expected by most users, this requires a very complex build. Could MS be made more secure, of course. Do I think they are actively working on the problem, yes. If Novell or Mac had risen to the top of the OS heap, would they be catching all the viruses now? I think they would. Really, my point was not to argue this, but that there is no justification for malicious code, that you can't simply pawn it off on MS as being the real problem. By doing that, you are saying that people creating spyware and viruses are not culpable for their actions, that they should be allowed to create havoc and destroy systems, because really they are only leveraging 'features' built into the operating system.
----- Original Message ----- From: "Niels Bakker" <niels=nanog@bakker.net> To: <nanog@merit.edu> Sent: Wednesday, July 14, 2004 3:31 PM Subject: Re: Spyware becomes increasingly malicious
Sorry, it was a _technical_ question - is MAC OS known as having
argue pests
and ad-ware in the comparable numbers (if any)?
* stepnwlf@magma.ca (John Underhill) [Wed 14 Jul 2004, 19:45 CEST]:
This is spurious logic. You are suggesting that Mac is a more secure operating system, and I would suggest that it is probably far less secure, because it has not had to withstand years of unearthing vulnerabilities in the code.
It has. Darwin is based on years of development in BSD code.
-- Niels.
-- Today's subliminal thought is: