RE: Spyware becomes increasingly malicious
Alexei Roudnev wrote:
It is not a bug; it is specially designed IE feature. MS always was proud of their full automation - install on demand, update automatically, add new software to start at a startup without need to be system admin, etc etc... As a result, we have a field full of bugs, pests, pets, spiders, spies and so on... They have _exactly_ what they designed. No one even bored to ask me 'do you want to allow this registry change' , because 'MS believe that their users are lamers so everything must be automated from the beginning to the end'...
Most of the lastest versions appear to install themselves using the ByteCode Verifier vulnerability in the Microsoft Virtual Machine. Fully patched systems don't get the stuff installed. I'm sure the authors are working on newer injection methods.... Though the blame might be placed on Microsoft for having a flaw in their code, this wasn't part of any IE feature. You can read more about this exploitable bug (not feature) at http://www.microsoft.com/technet/security/bulletin/MS03-011.mspx
I do not blame MS, but what about spyware on MAC-s - is it so easy to write and install spyware there?
I don't really want to get into the argument of why people choose microsoft products to attack, but if someone was going to choose a product to attack, from which they were going to try and make the most money/impact off of, do you think they would choose the product with the largest user base? I think that's the case here. It would be a poor business decision not to, and these people are definetly out to make as much money as they can off of these exploits.
This is 100% legal at this point (and even if it is not legal, who bored about it outside of USA? No anyone!).
It really shouldn't be legal. It is someone gaining unauthorized access to computer systems and altering data on those machines. Not to mention that people are profiting from these intrusions. -Brian
Most of the lastest versions appear to install themselves using the ByteCode Verifier vulnerability in the Microsoft Virtual Machine. MS do not publish full system specs, and they use undocumented features
Fully patched systems don't get the stuff installed. Or - after others found this backhole, they decided to seal it. You can not
themself. So, what other companies are doing? Yes, correct, they are experimenting, searching for the undocumented features. They found it, and no one can separate bugs and undocumented features. These are all results of MS approach _I am doing everything myself and do not want others to compete with me_. Ok, so please do not complain on those who uses your undocumented features, undocumented API (and ohh, it is not my API, it is a bug... as they are saying now). Are you sure that it is a bug, but not a backhole created by MS for themself? I am not. prove that it is a bug, as I can not prove that it was a feature. Any undocumented API is not different from a bug - it is just something which is not documented but exists.
I'm sure the authors are working on newer injection methods.... Just as MS is working on new undocumented API's. Of course, they are - hackers, spyware designers and MS developers... I do not see a difference.
Though the blame might be placed on Microsoft for having a flaw in their code, this wasn't part of any IE feature. Please, specify a difference between 'flaw in the code' and 'backhole created for their own purposes'. If they claim 'our developers use only specified API' and 'we specify and document every system call and every function which can be used legally, from technical point of view', then I agree. But they never did and never would. if they do it, they lost their monopoly. Result - full zoo of pets, pests, and other animals in every home computer running Windoze.
May be, this particular feature was a bug, I can agree - but I do not see a difference (still).
I do not blame MS, but what about spyware on MAC-s - is it so easy to write and install spyware there?
I don't really want to get into the argument of why people choose Sorry, it was a _technical_ question - is MAC OS known as having pests and ad-ware in the comparable numbers (if any)?
microsoft products to attack, but if someone was going to choose a product to attack, from which they were going to try and make the most money/impact off of, do you think they would choose the product with the largest user base? I think that's the case here. It would be a poor business decision not to, and these people are definetly out to make as much money as they can off of these exploits.
This is 100% legal at this point (and even if it is not legal, who bored about it outside of USA? No anyone!).
It really shouldn't be legal. It is someone gaining unauthorized
Hmm. Is it legal for MS developers (for example, office developers) to use undocumented APIs? What's a difference? What does it mean 'access' - you open my web page, and your IE download my GIF file - is it authorised (my GIF is installed into your computer)? You allow Active X to run, even if ActiveX can install software - it is enough to be authorised. These is common sense - if there is a road, it is authoruised to hike it (except if there is a closed gate or an angry dog on the way). At least, it is common sence on 90% of the world. Of course, we can create many laws making common sense useless, but do not expect anyone outside to follow it. Internet is not located inside, so - you can make a conclusion. MS provoked people to search for undocumented things - it is common sense which say me that it results in my home computer making unpredicted actions - and I can not blame spyware writers, I should blame MS writers... (I do not like spywriters, anyway, but they are making their business..)
access to computer systems and altering data on those machines. Not to mention that people are profiting from these intrusions. Of course, they are. MS is profited from undocumented API's, as well. Where is a difference?
-Brian
MS do not publish full system specs, and they use undocumented features themself.
Ok, say MS puplished their code tomorow, what do you think would happen? All the crackers and virus writers of the world would join hands and sing 'joy to the world' and forgive MS for their tresspasses? I suggest that many of these virus writers are not motivated by an elitist ideaology, but rather by financial gain, and the sense of empowerment borne of damaging a global system. I agree that MS, like many large companies, have not always behaved in an ethical manner, and have been driven largely by bottom line economics, but what is done is done, and that doesn't absolve virus and spyware writers of the damage they are doing to the internet community.
So, what other companies are doing? Yes, correct, they are experimenting, searching for the undocumented features. They found it, and no one can separate bugs and undocumented features. These are all results of MS approach _I am doing everything myself and do not want others to compete with me_. Ok, so please do not complain on those who uses your undocumented features, undocumented API (and ohh, it is not my API, it is a bug... as they are saying now). Are you sure that it is a bug, but not a backhole created by MS for themself? I am not.
So MS has undocumented 'features', so what? When you install their software you agree to a licence, and that you are using their software bound by their terms and conditions. Am I afraid big brother is watching, that MS is spying on me? Not really, nothing to see. Do I think that some of these practices are unethical? Yes, they probably are, but when I agreed to that licence I gave up my right to complain. Arguably, the internet would not be where it is today without MS, and that this design principle of automating as many processes as possible is what has made the internet a universally accessable medium, and that this automation creates security vulnerabilities is simply the trade off made for that accessability.
Or - after others found this backhole, they decided to seal it. You can not prove that it is a bug, as I can not prove that it was a feature.
Any undocumented API is not different from a bug - it is just something which is not documented but exists. Just as MS is working on new undocumented API's. Of course, they are - hackers, spyware designers and MS developers... I do not see a difference.
I see a very distinct difference, and that is that I have made a choice to use the MS product, that I have given my consent to them by way of a licence agreement, if they clearly abuse that trust, I will choose an alternative product, that is free enterprise in action. But I did not give the hacker and spyware writer permission to invade my privacy and damage my systems. Using MS products is not an open invitation to criminals to disrupt my networks, or absolution for criminal acts.
Please, specify a difference between 'flaw in the code' and 'backhole created for their own purposes'. If they claim 'our developers use only specified API' and 'we specify and document every system call and every function which can be used legally, from technical point of view', then I agree. But they never did and never would. if they do it, they lost their monopoly. Result - full zoo of pets, pests, and other animals in every home computer running Windoze.
May be, this particular feature was a bug, I can agree - but I do not see a difference (still).
MS has a monopoly, it's true, but the reason for that monopoly is not entirely because of unfair business practices, it also has a lot to do with their original design mission. That was and still is, to make their OS as easy to use as possible. You and I may know how to use linux, but up until a couple of years ago, this was just too complex an operating system for the average home user. That much of the MS code is undocumented, is probably a good thing, because it makes the virus writers work more difficult. Do I think that these undocumented features serve some devious purpose? If someone can come up with hard evidence of that, I will change operating systems.
Sorry, it was a _technical_ question - is MAC OS known as having pests and ad-ware in the comparable numbers (if any)?
This is spurious logic. You are suggesting that Mac is a more secure operating system, and I would suggest that it is probably far less secure, because it has not had to withstand years of unearthing vulnerabilities in the code. I have heard an OS compared to a sphere, the larger the sphere the more surface area: the larger the OS, the more area to protect. The last time I installed Red Hat, it weighed in at nearly 2 gigs, Mac around the same. Now, you can fit a 1000 page novel in a 3 meg file, so consider, there are millions of pages of code in an OS, and regardless of your operating system of choice, there are innumerable flaws that beg exploitation. The only reason MS is consistantly the subject of attack, and not Mac, is not because Mac is bullet proof, it is a tactical decision. Like it or not MS controls the market, and virus writers want to create exploits that will have the greatest impact. If MS were to dissapear tomorow, and Mac were to become king, it would only be a matter of weeks before virus writers ported their code to the Mac OS. Don't agree? Read 'Hacking Exposed Linux'. I used to think linux was secure, now I know better.
Hmm. Is it legal for MS developers (for example, office developers) to use undocumented APIs? What's a difference? What does it mean 'access' - you open my web page, and your IE download my GIF file - is it authorised (my GIF is installed into your computer)? You allow Active X to run, even if ActiveX can install software - it is enough to be authorised. These is common sense - if there is a road, it is authoruised to hike it (except if there is a closed gate or an angry dog on the way). At least, it is common sence on 90% of the world.
Again I think it comes down to choice. I have navigated to a website because I have made a choice to view its content and services, I did not however, choose to have spyware installed on my computer. By installing this software, they have violated my trust, they have installed invasive software without my consent. I realize that I may be vulnerable to viruses in using the internet, but that does not excuse the virus writer from creating software that impedes my use of this system, or removes my ability to choose the nature of my experience.
Of course, we can create many laws making common sense useless, but do not expect anyone outside to follow it. Internet is not located inside, so - you can make a conclusion. MS provoked people to search for undocumented things - it is common sense which say me that it results in my home computer making unpredicted actions - and I can not blame spyware writers, I should blame MS writers... (I do not like spywriters, anyway, but they are making their business..)
Of course, they are. MS is profited from undocumented API's, as well. Where is a difference?
Well it may seem that I am singing the praises of MS, but that is simply not the case. After years of being a systems admin, I came to really dislike MS, it was a lot of work keeping the systems clean and safe, but it's kind of like what Churchill said about democracy: 'Democracy is a bad form of government. Unfortunately all the others are so much worse..' MS makes a lousy OS, but for the home user, it's the best thing we've got. I think though, that there is a greater issue here, and that is what should be done about sites like 'cool web search'. Clearly they are causing damage to the internet community. Laws can not be relied upon to act on such trespasses, not in an international community. This places the onus of responsibility on the ISP leasing the addresses. This site has likely infected millions of computers, and I have no doubt their ISP is aware, but probably has a policy of non discrimination, or doesn't want to involve itself in legal entanglements. Do you de-peer them or filter their prefixes as someone suggested?. I think a lot of legitimate users would suffer as a result, so this is not a reasonable solution. But something does have to be done, when a website presents a clear and ongoing threat to the internet community, it has to be actionable. The problem then becomes, who defines what is a threat, and by what criteria do providers refuse service to the individual or each other? So do you create a charter of acceptable policies and practices among ISPs? Some collectively agreed upon statement of what constitutes acceptable practices as it pertains to this type of situation? I'm not sure it would work, but I am hard pressed for solutions. We all remember the promise ecommerce once held to our industry, and I believe it has fallen flat, largely due to the perceived danger of spyware and viruses. The danger of these attacks, and their scope and severity seem to grow each year, and I think the entire community is suffering as a result. So the question remains, what do we do about it?
Sorry, it was a _technical_ question - is MAC OS known as having pests and ad-ware in the comparable numbers (if any)?
* stepnwlf@magma.ca (John Underhill) [Wed 14 Jul 2004, 19:45 CEST]:
This is spurious logic. You are suggesting that Mac is a more secure operating system, and I would suggest that it is probably far less secure, because it has not had to withstand years of unearthing vulnerabilities in the code.
It has. Darwin is based on years of development in BSD code. -- Niels. -- Today's subliminal thought is:
Ok.. but has BSD been attacked on the scale that MS code has? I would argue no, not even close. Do you believe BSD is invulnerable to attack? Hardly.. Unless you want to go back to text based browsers and kernals that fit on a floppy, it is extermely difficult to eliminate all vulnerabilities in the code of a sophisticated OS. The more complex the system, the easier it is to break, and with the level of automation currently expected by most users, this requires a very complex build. Could MS be made more secure, of course. Do I think they are actively working on the problem, yes. If Novell or Mac had risen to the top of the OS heap, would they be catching all the viruses now? I think they would. Really, my point was not to argue this, but that there is no justification for malicious code, that you can't simply pawn it off on MS as being the real problem. By doing that, you are saying that people creating spyware and viruses are not culpable for their actions, that they should be allowed to create havoc and destroy systems, because really they are only leveraging 'features' built into the operating system. ----- Original Message ----- From: "Niels Bakker" <niels=nanog@bakker.net> To: <nanog@merit.edu> Sent: Wednesday, July 14, 2004 3:31 PM Subject: Re: Spyware becomes increasingly malicious
Sorry, it was a _technical_ question - is MAC OS known as having pests and ad-ware in the comparable numbers (if any)?
* stepnwlf@magma.ca (John Underhill) [Wed 14 Jul 2004, 19:45 CEST]:
This is spurious logic. You are suggesting that Mac is a more secure operating system, and I would suggest that it is probably far less secure, because it has not had to withstand years of unearthing vulnerabilities in the code.
It has. Darwin is based on years of development in BSD code.
-- Niels.
-- Today's subliminal thought is:
Ok, let.s return to reality (sorry for moving this thread into the OS related flame). First of all, even if OS have not any caveats, it will not protect it from spyware/adware. if I want to install my 'Cool-Search' into million of computers, all I need to do is to write fancy game, and offer it 'free of change' in exchange of 'Allow to show you ads once / day'. That's all - you will have everything installed explicitly. But 'hidden' installation makes it much more easy for spyware, and is (in general) a very big evil. System must distinguish between 'USER' mode (use applications but do not change system behavior) and 'INSTALL' mode (install/delete/add software, processes and so on). In many cases, system must ask password to do any such action. (If you know MS, you can image which nightmare is to implement it -- I worked with IDS such as Osiris and had a fun, guessing what system decide to change today. But it is not a problem in most other OS). Second, but even worst, problem is absense of ANY system interface showing you, what is starting, stopping and running. It is not any problem to remove spyware, from common point of view - just open 'list of running processes' and 'Startup list' and uncheck everything you do not want to see. Problem - such interface does not exist, is not possible because of complexity (there are milluions ways of starting anything) and can not trace a history of processes (because of, again, extra complexity, unlimited usage of 'classes' and 'objects' and 'pluginns' and 'toolbars' and so on). Anyway, good 'change history' system could easily revert such changes back so that instead of very complex 'adaware' scaners we will have just 'change history, revert ?' button. Third is more easy for ISP - if we can not fight with bad software, fight whith those who got a profit using it. For SPAM - ok, there is not ANY way to stop sending spam (fort now), but any SPAM advertices someone, and this someone is always 100% identified - so fight (limit, flood by calls, overload by false information, etc) SPAM benefitiants, learn them do not purchase 'We will send your advertice to 10M people over the world'. The same in case of adaware. For spyware, fight those who receive information back - by any way. ----- Original Message ----- From: "John Underhill" <stepnwlf@magma.ca> To: "Niels Bakker" <niels=nanog@bakker.net>; <nanog@merit.edu> Sent: Wednesday, July 14, 2004 1:12 PM Subject: Re: Spyware becomes increasingly malicious
Ok.. but has BSD been attacked on the scale that MS code has? I would
no, not even close. Do you believe BSD is invulnerable to attack? Hardly.. Unless you want to go back to text based browsers and kernals that fit on a floppy, it is extermely difficult to eliminate all vulnerabilities in the code of a sophisticated OS. The more complex the system, the easier it is to break, and with the level of automation currently expected by most users, this requires a very complex build. Could MS be made more secure, of course. Do I think they are actively working on the problem, yes. If Novell or Mac had risen to the top of the OS heap, would they be catching all the viruses now? I think they would. Really, my point was not to argue this, but that there is no justification for malicious code, that you can't simply pawn it off on MS as being the real problem. By doing that, you are saying that people creating spyware and viruses are not culpable for their actions, that they should be allowed to create havoc and destroy systems, because really they are only leveraging 'features' built into the operating system.
----- Original Message ----- From: "Niels Bakker" <niels=nanog@bakker.net> To: <nanog@merit.edu> Sent: Wednesday, July 14, 2004 3:31 PM Subject: Re: Spyware becomes increasingly malicious
Sorry, it was a _technical_ question - is MAC OS known as having
argue pests
and ad-ware in the comparable numbers (if any)?
* stepnwlf@magma.ca (John Underhill) [Wed 14 Jul 2004, 19:45 CEST]:
This is spurious logic. You are suggesting that Mac is a more secure operating system, and I would suggest that it is probably far less secure, because it has not had to withstand years of unearthing vulnerabilities in the code.
It has. Darwin is based on years of development in BSD code.
-- Niels.
-- Today's subliminal thought is:
----- First of all, even if OS have not any caveats, it will not protect it from spyware/adware. if I want to install my 'Cool-Search' into million of computers, all I need to do is to write fancy game, and offer it 'free of change' in exchange of 'Allow to show you ads once / day'. That's all - you will have everything installed explicitly. ----- Not necessarily true. Security/permissions plays a major part in the effectiveness of adware and spyware. A majority of consumer Windows OS's run with the default login as an admin user. When a user chooses to install "Cool-Search", their user rights allow for registry changes and alterations of system libraries, which cause ads to display when using IE. Can this be prevented by running Windows as a non-privileged user, yes. But people want to install their "Cool-Search" and non-privileged users can't install anything. When using OS's other than Windows, users can install their own binaries, but they do not have access to modify the system binaries. Then can still browse with the system wide Mozilla/whatever, but their actions will not have the ability to alter anything that will allow for ads to be served when browsing, or for browsing habits to be sent to a third party. User information is still vulnerable, and the potential is still there, but a single user's infection/installation will generally not have the same impact on the system. -b On Wed, 14 Jul 2004 23:52:27 -0700, Alexei Roudnev <alex@relcom.net> wrote:
Ok, let.s return to reality (sorry for moving this thread into the OS related flame).
First of all, even if OS have not any caveats, it will not protect it from spyware/adware. if I want to install my 'Cool-Search' into million of computers, all I need to do is to write fancy game, and offer it 'free of change' in exchange of 'Allow to show you ads once / day'. That's all - you will have everything installed explicitly.
But 'hidden' installation makes it much more easy for spyware, and is (in general) a very big evil. System must distinguish between 'USER' mode (use applications but do not change system behavior) and 'INSTALL' mode (install/delete/add software, processes and so on). In many cases, system must ask password to do any such action. (If you know MS, you can image which nightmare is to implement it -- I worked with IDS such as Osiris and had a fun, guessing what system decide to change today. But it is not a problem in most other OS).
Second, but even worst, problem is absense of ANY system interface showing you, what is starting, stopping and running. It is not any problem to remove spyware, from common point of view - just open 'list of running processes' and 'Startup list' and uncheck everything you do not want to see. Problem - such interface does not exist, is not possible because of complexity (there are milluions ways of starting anything) and can not trace a history of processes (because of, again, extra complexity, unlimited usage of 'classes' and 'objects' and 'pluginns' and 'toolbars' and so on). Anyway, good 'change history' system could easily revert such changes back so that instead of very complex 'adaware' scaners we will have just 'change history, revert ?' button.
Third is more easy for ISP - if we can not fight with bad software, fight whith those who got a profit using it. For SPAM - ok, there is not ANY way to stop sending spam (fort now), but any SPAM advertices someone, and this someone is always 100% identified - so fight (limit, flood by calls, overload by false information, etc) SPAM benefitiants, learn them do not purchase 'We will send your advertice to 10M people over the world'. The same in case of adaware. For spyware, fight those who receive information back - by any way.
----- Original Message ----- From: "John Underhill" <stepnwlf@magma.ca> To: "Niels Bakker" <niels=nanog@bakker.net>; <nanog@merit.edu> Sent: Wednesday, July 14, 2004 1:12 PM Subject: Re: Spyware becomes increasingly malicious
Ok.. but has BSD been attacked on the scale that MS code has? I would
no, not even close. Do you believe BSD is invulnerable to attack? Hardly.. Unless you want to go back to text based browsers and kernals that fit on a floppy, it is extermely difficult to eliminate all vulnerabilities in the code of a sophisticated OS. The more complex the system, the easier it is to break, and with the level of automation currently expected by most users, this requires a very complex build. Could MS be made more secure, of course. Do I think they are actively working on the problem, yes. If Novell or Mac had risen to the top of the OS heap, would they be catching all the viruses now? I think they would. Really, my point was not to argue this, but that there is no justification for malicious code, that you can't simply pawn it off on MS as being the real problem. By doing that, you are saying that people creating spyware and viruses are not culpable for their actions, that they should be allowed to create havoc and destroy systems, because really they are only leveraging 'features' built into the operating system.
----- Original Message ----- From: "Niels Bakker" <niels=nanog@bakker.net> To: <nanog@merit.edu> Sent: Wednesday, July 14, 2004 3:31 PM Subject: Re: Spyware becomes increasingly malicious
Sorry, it was a _technical_ question - is MAC OS known as having
argue pests
and ad-ware in the comparable numbers (if any)?
* stepnwlf@magma.ca (John Underhill) [Wed 14 Jul 2004, 19:45 CEST]:
This is spurious logic. You are suggesting that Mac is a more secure operating system, and I would suggest that it is probably far less secure, because it has not had to withstand years of unearthing vulnerabilities in the code.
It has. Darwin is based on years of development in BSD code.
-- Niels.
-- Today's subliminal thought is:
The problem is Active-X, not the OS. Anything running from the browser should be in a sandbox as it is with Java applications, the same is true for the email client. Active-X gives scripts running from the browser and the email client access to the entire machine in the name of functionality. In some cases users are prompte to authorize the installation of software when they get to a web page. Even when they choose "No," the software continues to install. Its a security hole big enough to drive a tank through. Mozilla is your friend. Curtis -- Curtis Maurand mailto:curtis@maurand.com http://www.maurand.com On Thu, 15 Jul 2004, Brett wrote:
----- First of all, even if OS have not any caveats, it will not protect it from spyware/adware. if I want to install my 'Cool-Search' into million of computers, all I need to do is to write fancy game, and offer it 'free of change' in exchange of 'Allow to show you ads once / day'. That's all - you will have everything installed explicitly. -----
Not necessarily true. Security/permissions plays a major part in the effectiveness of adware and spyware. A majority of consumer Windows OS's run with the default login as an admin user. When a user chooses to install "Cool-Search", their user rights allow for registry changes and alterations of system libraries, which cause ads to display when using IE.
Can this be prevented by running Windows as a non-privileged user, yes. But people want to install their "Cool-Search" and non-privileged users can't install anything.
When using OS's other than Windows, users can install their own binaries, but they do not have access to modify the system binaries. Then can still browse with the system wide Mozilla/whatever, but their actions will not have the ability to alter anything that will allow for ads to be served when browsing, or for browsing habits to be sent to a third party.
User information is still vulnerable, and the potential is still there, but a single user's infection/installation will generally not have the same impact on the system.
-b
On Wed, 14 Jul 2004 23:52:27 -0700, Alexei Roudnev <alex@relcom.net> wrote:
Ok, let.s return to reality (sorry for moving this thread into the OS related flame).
First of all, even if OS have not any caveats, it will not protect it from spyware/adware. if I want to install my 'Cool-Search' into million of computers, all I need to do is to write fancy game, and offer it 'free of change' in exchange of 'Allow to show you ads once / day'. That's all - you will have everything installed explicitly.
But 'hidden' installation makes it much more easy for spyware, and is (in general) a very big evil. System must distinguish between 'USER' mode (use applications but do not change system behavior) and 'INSTALL' mode (install/delete/add software, processes and so on). In many cases, system must ask password to do any such action. (If you know MS, you can image which nightmare is to implement it -- I worked with IDS such as Osiris and had a fun, guessing what system decide to change today. But it is not a problem in most other OS).
Second, but even worst, problem is absense of ANY system interface showing you, what is starting, stopping and running. It is not any problem to remove spyware, from common point of view - just open 'list of running processes' and 'Startup list' and uncheck everything you do not want to see. Problem - such interface does not exist, is not possible because of complexity (there are milluions ways of starting anything) and can not trace a history of processes (because of, again, extra complexity, unlimited usage of 'classes' and 'objects' and 'pluginns' and 'toolbars' and so on). Anyway, good 'change history' system could easily revert such changes back so that instead of very complex 'adaware' scaners we will have just 'change history, revert ?' button.
Third is more easy for ISP - if we can not fight with bad software, fight whith those who got a profit using it. For SPAM - ok, there is not ANY way to stop sending spam (fort now), but any SPAM advertices someone, and this someone is always 100% identified - so fight (limit, flood by calls, overload by false information, etc) SPAM benefitiants, learn them do not purchase 'We will send your advertice to 10M people over the world'. The same in case of adaware. For spyware, fight those who receive information back - by any way.
----- Original Message ----- From: "John Underhill" <stepnwlf@magma.ca> To: "Niels Bakker" <niels=nanog@bakker.net>; <nanog@merit.edu> Sent: Wednesday, July 14, 2004 1:12 PM Subject: Re: Spyware becomes increasingly malicious
Ok.. but has BSD been attacked on the scale that MS code has? I would
no, not even close. Do you believe BSD is invulnerable to attack? Hardly.. Unless you want to go back to text based browsers and kernals that fit on a floppy, it is extermely difficult to eliminate all vulnerabilities in the code of a sophisticated OS. The more complex the system, the easier it is to break, and with the level of automation currently expected by most users, this requires a very complex build. Could MS be made more secure, of course. Do I think they are actively working on the problem, yes. If Novell or Mac had risen to the top of the OS heap, would they be catching all the viruses now? I think they would. Really, my point was not to argue this, but that there is no justification for malicious code, that you can't simply pawn it off on MS as being the real problem. By doing that, you are saying that people creating spyware and viruses are not culpable for their actions, that they should be allowed to create havoc and destroy systems, because really they are only leveraging 'features' built into the operating system.
----- Original Message ----- From: "Niels Bakker" <niels=nanog@bakker.net> To: <nanog@merit.edu> Sent: Wednesday, July 14, 2004 3:31 PM Subject: Re: Spyware becomes increasingly malicious
Sorry, it was a _technical_ question - is MAC OS known as having
argue pests
and ad-ware in the comparable numbers (if any)?
* stepnwlf@magma.ca (John Underhill) [Wed 14 Jul 2004, 19:45 CEST]:
This is spurious logic. You are suggesting that Mac is a more secure operating system, and I would suggest that it is probably far less secure, because it has not had to withstand years of unearthing vulnerabilities in the code.
It has. Darwin is based on years of development in BSD code.
-- Niels.
-- Today's subliminal thought is:
Did you try to run Windoze as 'not admin user'? Ok, try, then install, say, harmless user-level (not a server at all) Visio package... They run as admin, because Windoze (1) have not easy (temporary) switching between User and Admin, and (2) 99.99% applications require user privilege to be installed or configured (and they are not sevice applcaitions).
Not necessarily true. Security/permissions plays a major part in the effectiveness of adware and spyware. A majority of consumer Windows OS's run with the default login as an admin user. When a user chooses to install "Cool-Search", their user rights allow for registry changes and alterations of system libraries, which cause ads to display when using IE.
Can this be prevented by running Windows as a non-privileged user, yes. But people want to install their "Cool-Search" and non-privileged users can't install anything.
If I am in Unix, I can install Cool-Search when I am a normal 'user', BUT these will not be a system-wide application. I need root privileges to install a service, and I do not neeed it to install something which is client only (can not run by itself). // I am not advice for Unix here. These is a difference - in a very old, ansient Unix system there is simple and effective privilege segregation (and everyone understands it). No one application writes into /bin and /usr/bin, and only very few badly designed applications try to write anything into /etc; user's directory have simple '-rwxrwxr-x- (or other) access list (easy to understand), etc etc... As a result, 99% of this _old_ OS are more secure than99% of Windoze installations (through Windoze can be made much more secure than Unix). There is all result of 'hidden complexity'. Install 'Osiris' (or Tripwire) IDS and try to configure rules for Unix and Windoze, then compare. Tremedows difference!
When using OS's other than Windows, users can install their own binaries, but they do not have access to modify the system binaries. Then can still browse with the system wide Mozilla/whatever, but their actions will not have the ability to alter anything that will allow for ads to be served when browsing, or for browsing habits to be sent to a third party. Technically they can run some startup script, but even if they do it, it is _very_ easy to get rid of such thing. And (what is most important) usesr can do 100% tasks when logining as a 'user' not as an 'admin' (if they need temporary permission change, they can got it).
So MS has undocumented 'features', so what? When you install their
you agree to a licence, and that you are using their software bound by
software their O, noo. You click a button 'I agree' which means nothing for 99.99% of people over the world. Here is a difference. Do not expect people to 'agree' if you do not enforce them to follow this (and if your system do not violate 'common sense'). Do you saw any idiot who read this licenses (I never seen any)? It became (many years ago) some kind of ritual, like indian dances before going to the war.
terms and conditions. Am I afraid big brother is watching, that MS is spying on me? Not really, nothing to see. Do I think that some of these practices are unethical? Yes, they probably are, but when I agreed to that licence I gave up my right to complain. Arguably, the internet would not be where it is today without MS, and that Of couse, you are correct here.
this design principle of automating as many processes as possible is what has made the internet a universally accessable medium, and that this And which makes it a good dinner table for the pests, viruses and so on...
May be, idea was that people read 'license', click button (I agree) and follow it - never write a code which violates this license? But it is not true - 99.99% people do not read it and behave as a common sense is saying not as !@#$ MS lawers fictioned... They see a wall wih a gates - and they go thru this gates, no matter what is written on the posters around (except, as I said, if they see an angry dog next to the gate). /On the other hand, they knows that coffee is hot and waterfall is dangerous and dogs can bite -:)/. You must design yous system for this behavior, not for people who _read a license_. This licenses are good only for 2 goals - (1) use them as a toalet tissue; (2) in case of serious violation allows to suite user if he is in USA... -- they do not change people behavior even a bit. Unfortunately, Internet is not in USA, so even if we will have 100 strict laws prohibiting spyware, it will not help to fight this pests and pets... System must defend itself.
automation creates security vulnerabilities is simply the trade off made for that accessability.
I agree, in general. yes, it is trade off of _easy to use_, but not only. Many of this things are trade off of _MS do not want competition so they keep many undocumented backholes allowing them to have a benefits vs competitors. IE which makes search instead of reporting 'Name not found' is a good example. Yes, I agree, I see a distinction too. I just want to show, that it is not so simple to determine (distinction) and it is not very productive even to try doing it - it is much more important to (1) protect the system, and (2) increase competition having more different systems, and (3) use standards, instead of proprietary extentions...
MS has a monopoly, it's true, but the reason for that monopoly is not entirely because of unfair business practices, it also has a lot to do
their original design mission. That was and still is, to make their OS as easy to use as possible. You and I may know how to use linux, but up until a Yes, and they did it 'too easy to use' so they have a drawbackl in form of viruses, vorms, pests and pets - what a surprise... If it was 5 years ago,
with they already went out of the market because of competition (from others who did not dop it so easy to use but kept systems without a pets and pests). Unfortunately, thie years are over.
couple of years ago, this was just too complex an operating system for the average home user. That much of the MS code is undocumented, is probably a I am not talking about the code; I am talking about API's.
This is spurious logic. You are suggesting that Mac is a more secure
of choice, there are innumerable flaws that beg exploitation. The only reason MS is consistantly the subject of attack, and not Mac, is not because I am not sure - new Mac OS is much more consistent inside than MS. How
I do not know - it was a question. script (which must run inside the sandbox) can install spyware, or change my home page, or see my address book (except if I confirmed administrative password after I was asked about)? Any small difference can play a dramatic role here - when working in Unix, I always login as 'alex' with 'user' permissions - because I can make myself admin temporary by running 'sudo -s' or 'su -'; in Windoze, I must login as an administrator from the very beginning, so I do it - as a result, script can install startup time software in MS but can not in my Unix (just a simple example). And so on. I am not trying to analyze MS vs Unix vs MAC here, but it is obvious that MS have a very serious design caveats, and there is a chance (a chance only) that other systems have not.
Again I think it comes down to choice. I have navigated to a website
because
I have made a choice to view its content and services, I did not however, choose to have spyware installed on my computer. By installing this
I could not imaging, in the nightmare, that Browser can allow any installation (withiout asking me 10 times _do you want_ and _enter admin password please_. So, MS browser is not trusted as a browser but is a very big spyware by itself. John, you are 90% right here. Unfortunately, yes, it (spyware adware pests pets etc) is a trade off of _easy to use_. But unfortunately, MS killed competition so you have not any chance to do anythin good until they have a monopoly. All you can do may provide temporary reliefe, but can not solve a problem. Until we will be able to choose between a few vendors and few systems, with a different levels of _easy to use_ but with (in turn) different levels of trust. Mozilla is not worst than MS IE, but due to IE monopoly people just do not debug their applications on mozilla - and it creates a monopoly. problem is here, not in the 'trusted software'. The same with many other systems. (Example - in Russia, people are not so tied to IE because they have not so many fancy on-line services; as a result, Opera and Mozilla % of usage is much higher than in USA - they voted for this browsers. In USA, it is impossible because !@#$ web service vendors are not interested in testing their web services on anything than IE. This shows, that pets/pests problem is 95% IE problem, not overall Internet problem). Good law can help - it will wash out spyware from part of Internet, but it is not enough without good software and good OS. Fortunately, spyware problem is much simle than SPAM problem.
** Reply to message from "Alexei Roudnev" <alex@relcom.net> on Wed, 14 Jul 2004 22:52:07 -0700
May be, idea was that people read 'license', click button (I agree) and follow it - never write a code which violates this license? But it is not true - 99.99% people do not read it and behave as a common sense is saying not as !@#$ MS lawers fictioned... They see a wall wih a gates - and they go thru this gates, no matter what is written on the posters around (except, as I said, if they see an angry dog next to the gate). /On the other hand, they knows that coffee is hot and waterfall is dangerous and dogs can bite -:)/. You must design yous system for this behavior, not for people who _read a license_. This licenses are good only for 2 goals - (1) use them as a toalet tissue; (2) in case of serious violation allows to suite user if he is in USA... -- they do not change people behavior even a bit. Unfortunately, Internet is not in USA, so even if we will have 100 strict laws prohibiting spyware, it will not help to fight this pests and pets... System must defend itself.
For awhile there, one of the top tech support issues we had to deal with was new - and automatically implemented - "feature" in Outlook Express that blocked a person from running or saving something that Microsoft considered a "dangerous file attachment." Such dangerous file attachments included .jpg, .pdf and music files. Oddly enough, it didn't seem to include .doc or .xls files. You know, the ones that actually can contain macro viruses. Because of Microsoft's ham-handed and "all or nothing" attempt at security many people now don't trust or ignore any warning messages they may receive - they simply want to view their file attachments. -- Jeff Shultz A railfan pulls up to a RR crossing hoping that there will be a train.
On Thu, 15 Jul 2004 09:00:16 PDT, Jeff Shultz <jeffshultz@wvi.com> said:
Such dangerous file attachments included .jpg, .pdf and music files.
Once bitten, twice shy: http://cert.uni-stuttgart.de/archive/bugtraq/2001/02/msg00168.html .JPG's are HTML, didn't you know? :)
On Wed, 14 Jul 2004 22:52:07 PDT, Alexei Roudnev <alex@relcom.net> said:
O, noo. You click a button 'I agree' which means nothing for 99.99% of people over the world. Here is a difference. Do not expect people to 'agree' if you do not enforce them to follow this (and if your system do not violate 'common sense'). Do you saw any idiot who read this licenses (I never seen any)? It became (many years ago) some kind of ritual, like indian dances before going to the war.
It's rare that the user actually even TRIES to read the license... http://www.cypherpunks.ca/dell.html
participants (8)
-
Alexei Roudnev
-
Brett
-
Brian Battle
-
Curtis Maurand
-
Jeff Shultz
-
John Underhill
-
Niels Bakker
-
Valdis.Kletnieks@vt.edu