The myth of computer security

I stopped reading after you said you recommended McAfee. If you are one of the good guys, that explains why we’re losing.

Now if only some of these bungholes would get prosecuted.  I had the person’s name IP and MAC that destroyed my system with malware.  I even launched a counterattack after their local law enforcement refused to do anything.  If you have the ability, vigilante these losers that destroy property.  Find them and kick their teeth in.  See if the feds would be willing to trace the attacks then…

Steve,

>You say “the good guys aren’t winning”… well all except for Apple and Linux it would appear.

Not really. You didn’t read (or want to respond to) the section above titled “The immune: Apple and Linux systems“.

Andy

Both Mac and Linux machines are also being targeted, and the myth of macs being immune to viruses and other malware is being aggressively disproven. If anything, you should be shouting about how vulnerable they are. This, along with the recommendation to use McAfee really makes me wonder if you know what you’re talking about. Certainly it’s impossible to be online and 100% safe. However, it’s possible to be quite a lot safer than you’re assuming by simply using some additional security methods. McAfee by itself? No wonder you’re having problems.

It seems to me a fundamental change in architecture is required.
1. Software should reside in a physically separate memory from the workspace. It should be read-ONLY, meaning it is physically impossible to write from the workspace back to the ROM. In fact, since the only thing that this module will ever do is load software into RAM, there is no need for signals ever to travel to the ROM from RAM. What communication is necessary should be via a separate channel that remains closed (ideally with a physical break like a switch) except when necessary.
2. If 1. interferes with your copy-protection or other DRM, tough cookies.
3. There should be no auto-run of any kind. This includes pop-ups. Find another way to support your Web site.
4. It should be impossible to create a rootkit. OS’s should be capable of accessing that level of the computer.
5. All software should have a single point of contact with the user so that deleting the software deletes every trace of it.
6. Nothing executes without the specific action of the user. Especially, nothing from outside. That means software will have to be completely self-contained so the user doesn’t have to run 100 different DLL’s.
7. If these safeguards warp someone’s little brain, they can buy a regular old infectable computer. But create a line of ultra-secure computers for those who want them.
8. Turn your ‘pooter OFF at night. It will at least be eight hours less for bad guys to attack you, or use your computer in their botnet.

I am a current Systems Admin that is forced to use McAfee Enterprise Antivirus and Agent software, and no I would not offer it to a customer. McAfee has yet to remove any infection it has found when it does find them. I know for a fact your statement on its tiny foot print is a gigantic load.  As we have done system performance comparisons, McAfee Enterprise has shown its self to be a epidemic level system drain, to the point that systems department in other parts of our chain have either removed or replace the software for this exact reason.
That being said I whole heartedly agree with your stance on Apple and Linux/Unix Machines. Market share determines your position on potential attackers radar, or as our apple certified specialist puts it ” security through obscurity!”

Hi Tombsmen,

Regarding McAfee, I simply haven’t experienced your issues, and I’ve been using McAfee Enterprise for the last 7 years, on 10+ companies, through version 8. This includes running it on high-powered machines as well as old, slow ones. I totally believe your experience – why would you lie? But please believe me when I say I’m not lying either. :) I don’t know your environment, so can’t really comment except to say that there’s no one software that will work well for everyone.

As far as not removing certain infections, that’s not limited to any one vendor. They all miss a lot, unfortunately. As I said in the article, “Microsoft and various security companies are doing their best against the bad guys, who are attacking faster and more creatively than the good guys can keep up.”

Personal option time: You might want to try Vipre (though be aware – just like McAfee Enterprise – you have to set it up and tweak the enterprise settings ahead of time – if you don’t, performance might suffer because your disk and CPU will be needlessly overworked and the users WILL notice). In our testing, it’s actually less of a footprint than McAfee. We’ve also used AVG, but my guys thought the centralized control is a pain. I recommend staying away from Symantec unless all your PCs are very high-end.

Good luck!

Andy

And yet there are some of us thate deliberately download/run any and all types of malware on our systems with no realtime AV or even bothered with Windows Useless Update bloat.
Sandboxie, Defensewall, Geswall, Returnil and Shadow Defender to name some brilliant apps that when used correctly will keep you far safer than any blacklist scanner.
 

um, in the “immune” section, you cite the “security via obscurity myth” which is completely false.

There are linux viruses, very few but they exist, and linux is running a significant portion of enterprise servers. Mac OSX is also used in mission critical environments and by the united states military to maintain their web presence. There are also 50+ million macs online plus the 100 million iPhones/iPod Touches/iPads which all run OS X. None of these devices has ever had a virus. Period. There is not one virus in the wild for OS X. 

*there are about 9 trojans for the mac, and a couple of viruses for iPods running linux for some reason, but thats it.

Any Unix based system is significantly more secure than one based on CP/M (DOS), because it was designed from the beginning for networking.

this is why the argument of something not being a target makes no sense, if it’s not a target because of a smaller audience, then it would be as easy to infect those machines with self propogating viruses, they would just have an equivalent percentage of the malware. They do not. at all.

This assertion in your article is wrong.

Andy, great article. As an IT worker myself, I think this write-up is a good resource for the many non-technically inclined friends and relatives I have. Also, f— the nay-sayers on McAfee. Their enterprise solution is great, as is Sophos.

Andy,
The part of my response you quoted was not my entire point. My point is that if something was secure simply by not being a target, then it would be just as simple to write a self propogating piece of malware/virus for that platform as the one with the major slice of the market. But, no one has been able to successfully do it in 10 years time (OS X debuted in 2000 as a beta) although many have tried.
My point is simply that the design of that “immune” system is more secure and has not been successfully attacked at all in 10 years. 0. That is not obscurity, or un targeted, that is by design. Otherwise, Google made a really horrible security decision by switching to macs and linux completely and i would consider them a ‘high value’ target. Also, a ‘high value’ target?… Apple. Who runs their entire company on nothing but OS X machines and servers…I would think someone would want to crack them open. And when the us military switched to Apple Xserves and OS X to run their web presence and internal electronic security? I would think they are a ‘high value’ target. Also, the NSA, CIA, FBI, and the White House all have recently made the switch to Linux and OSX servers and client machines?
The truth is that the most expensive and sensitive material in the private and public sector are protected with some type of Unix distribution. This is not an accident. When was the last time any of those named above suffered a breach? (excluding the windows IE breach that made google switch to Macs and Linux).

I don’t think anyone responded to Steve D’s mindless post, because A) his ideas are 89% illogical or bull. B) He didn’t read the original article so he’s just trolling with his “here’s what you need: blah blah blah”. C) It’s fun to poke at people’s silly comments.
It seems to me a fundamental change in architecture is required.
It’s called UNIX and LINUX…alternatives do exist. You’re speaking as an idealist and not a pragmatist. The idealists have moved to the aforementioned OS’s. The rest of us are going to do as we’ve always been doing more mindfully. Andy is right in the article about absolute protection as a myth, but hell, smoking doesn’t cause cancer, it increases the risk of cancer. Correlation doesn’t equate to causation. Following what he’s mentioned will reduce the risks.
1. Software should reside in a physically separate memory from the workspace. It should be read-ONLY, meaning it is physically impossible to write from the workspace back to the ROM. In fact, since the only thing that this module will ever do is load software into RAM, there is no need for signals ever to travel to the ROM from RAM. What communication is necessary should be via a separate channel that remains closed (ideally with a physical break like a switch) except when necessary.
Do you really think the hundreds of thousands of computer engineers out there were so stupid they haven’t contemplated this idea before? If it was located on ROM it’s more firmware than software anymore. And please explain the technical implementations of a “separate channel”. A physical switch eh? A write-protect on a USB stick is mighty handy, and unfortunately they don’t have too many of those floating around in the market place anymore, however have you ever operated one of those? It’s annoying if you are reading/writing things to it, then having to lock it up, then having to unlock it again. It like an OS requires writing constantly because processes and files can’t be static or compartmentalized. There’s something called “sandboxing” and a “virtual machine” yet even those have their drawbacks.
2. If 1. interferes with your copy-protection or other DRM, tough cookies.
Tough cookies?! This is DRM heaven! ROM media means READ ONLY meaning people couldn’t copy off the information. Maybe the music industry will buy your idea, best of luck to them in implementing it. They have the ROM media but not the platform.
3. There should be no auto-run of any kind. This includes pop-ups. Find another way to support your Web site.
I think you didn’t read the article at all, if you don’t read the article and you make wonky irrelevant statements. First off programs that automatically run at startup can be both beneficial and detrimental, ie the JAVA updater, which takes some system resources, but notifies and downloads the latest update pushed out so you don’t get those pop-ups.
Second off, if you have HTML code, you have the ability to create a popup, if you have Firefox or a later version of IE, you can block that pop-up. If you have Java installed and a java popup comes up, you have the option of not using java. What are you trying to say here?! Let’s make pie fall out of sky, nevermind water does in reality but if we want pie, we will get pie! Do you live in the 90′s to still have this issue?
4. It should be impossible to create a rootkit. OS’s should be capable of accessing that level of the computer.
It should also be impossible to commit crimes and hurt people’s feelings when they write nonsensical blog comments. oops. Again, permissions, UAC that try to prevent access at the kernel level get overrun.
5. All software should have a single point of contact with the user so that deleting the software deletes every trace of it.
That’s why people like portable applications, however you’re forgetting many of these programs rely on writing to the registry…WHEN IN DOUBT SWITCH TO APPLE!!
6. Nothing executes without the specific action of the user. Especially, nothing from outside. That means software will have to be completely self-contained so the user doesn’t have to run 100 different DLL’s.
Portable applications… again it’s your choice to install an app or find a portable version of it, or make a portable version of it. And have you heard of Windows UAC? That’s the idea behind it, but it doesn’t work because people become trained to just click OK. Also what you sound like you are trying to advocate for is different levels of access to the OS, however if you listened to any of the lectures Mark Russinovich (If you don’t know who this is, you don’t have the right to talk about Windows) gave, malware now evolving to operate even when there aren’t administrative options.
7. If these safeguards warp someone’s little brain, they can buy a regular old infectable computer. But create a line of ultra-secure computers for those who want them.
This is why I’m giving you so much shit, you think brain size is correlated to intelligence, an outdated school of thought (then again I didn’t expect someone with those creative comments above to understand neurobiology), and your pretentious statement reads “it’s my way or the highway” without remembering there are PLENTY of alternatives to the Windows OS that are more secure.

8. Turn your ‘pooter OFF at night. It will at least be eight hours less for bad guys to attack you, or use your computer in their botnet.
This isn’t the 90′s grandpa, when you go on a site with a java zero-day exploit it doesn’t matter how long your connection is open. This is 2010, everyone’s connection is open 24/7. Time is not the cause, an insecure system is. Again, stop coming onto sites and making your own frog-in-the-well comments with out at least reading the blog entry, it’s people like you with backwards ideas who don’t pay attention that get their computers infected.

Okay, as an open source programmer & 3-D modelling artists: I’m gonna have a lot more to say…

But 1st I just wanted to say a few things: Welcome Back, *w00t!*, and *uber-thnx* for bringing back DBS’ podcast. I know I’m kinda late on the uptake . I do remember your announcement, of DBS podcast “death” and though I didn’t think I’d unsubscribed… well it turns out that I did.

Which makes my return to DBS, as a listener, all the sweeter. And as an uber-nerdette I love that you’ve addressed this issue. I have a ton of people who I’ll def be sharing this episode & article with. Thank you!

I’ll be back later to babble a whole bunch more. But I just wanted to, at least, send you my thank yous & welcome backs!

Please keep the podcasts coming & thnx again for all of your.
Take care & thnx again – Kaity G. B.

I can cite everything you need. Most of my knowledge is from first hand experience with the above. if you email me i will provide you with what i can, but will not do so on a public forum.