Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Ask Slashdot: How Dead Is Antivirus, Exactly?

Soulskill posted about 2 months ago | from the deader-than-an-arbitrarily-dead-thing dept.

Security 331

Safensoft writes: Symantec recently made a loud statement that antivirus is dead and that they don't really consider it to be a source of profit. Some companies said the same afterwards; some other suggested that Symantec just wants a bit of free media attention. The press is full of data on antivirus efficiency being quite low. A notable example would be the Zeus banking Trojan, and how only 40% of its versions can be stopped by antivirus software. The arms race between malware authors and security companies is unlikely to stop.

On the other hand, experts' opinions of antivirus software have been low for a while, so it's hardly surprising. It's not a panacea. The only question that remains is: how exactly should antivirus operate in modern security solutions? Should it be one of the key parts of a protection solution, or it should be reduced to only stopping the easiest and most well-known threats?

Threats aren't the only issue — there are also performance concerns. Processors get better, and interaction with hard drives becomes faster, but at the same time antivirus solutions require more and more of that power. Real-time file scanning, constant updates and regular checks on the whole system only mean one thing – as long as antivirus is thorough, productivity while using a computer goes down severely. This situation is not going to change, ever, so we have to deal with it. But how, exactly? Is a massive migration of everything, from workstations to automatic control systems in industry, even possible? Is using whitelisting protection on Windows-based machines is the answer? Or we should all just sit and hope for Microsoft to give us a new Windows with good integrated protection? Are there any other ways to deal with it?

cancel ×

331 comments

Sorry! There are no comments related to the filter you selected.

Ask Slashdot: Buy 1, get 9 Free Combo! (0)

Anonymous Coward | about 2 months ago | (#47687893)

How many more questions could they fit in a My Slashdot submission? One? Two? Three? Four? Five more? Six more questions? Seven? Eight? Nine?

Never mind the quantity, feel the quality (4, Interesting)

Badger Nadgers (2423622) | about 2 months ago | (#47687901)

"only 40% of its versions can be stopped by antivirus software" Take a general case. What proportion of crime is stopped by the police?

Re:Never mind the quantity, feel the quality (-1)

Anonymous Coward | about 2 months ago | (#47687931)

Take a general case. What proportion of crime is stopped by the police?

How about a specific case. What proportion of stupid analogies are stopped by a few moment's thought?

Re:Never mind the quantity, feel the quality (2)

Runaway1956 (1322357) | about 2 months ago | (#47688115)

GP's question is a good analogy. Police can only solve crimes that have been committed. Antivirus only fixes problems that have already been identified.

End state and private capitalism. (-1, Offtopic)

Anonymous Coward | about 2 months ago | (#47687897)

Humans are a whole loadda tabula rasa. Create an environment where people's selfishness and greed aren't reinforced from day zero, and you won't find so many people willing to shit on each other for a quick buck.

Universal basic income for all. You enjoy something? Do it for the sake of achievement. What happened to doing things just because they are hard?

Re: End state and private capitalism. (0)

Anonymous Coward | about 2 months ago | (#47687903)

the solution is virustotal... one client to scan all ur files... but it is forbidden lol
the other solution is whitelist...

Re:End state and private capitalism. (0, Offtopic)

epyT-R (613989) | about 2 months ago | (#47687969)

Simple, when you try to use the state to force people not to be greedy, you end up building it into the greedy control freak you wanted to avoid in the first place.

When everyone has universal income, few will actually want to produce anything worth buying beyond basic necessities, which they will just produce for themselves. When the state sees this, it will step in and redistribute, demoralizing these producers as well. This is what happened to consumer goods in the soviet union.

Re:End state and private capitalism. (1, Offtopic)

IamTheRealMike (537420) | about 2 months ago | (#47688293)

He said universal basic income, which is certainly not high enough to allow anyone to buy anything they want. There would still be a divide between rich and poor with such a policy.

BTW I don't think basic income has ever been tried. Certainly massive nationalisation of all industries a la Soviet communism is not it.

Re: End state and private capitalism. (0)

DaMattster (977781) | about 2 months ago | (#47688095)

It's been tried before and failed miserably. The experiment was called Communism and basic human nature precluded it from the being successful.

Re: End state and private capitalism. (1)

Imrik (148191) | about 2 months ago | (#47688183)

The experiments in large scale communism have been the opposite of what the GP requested. They typically have reinforced selfishness and greed even more than capitalism as they are needed to survive rather than just to thrive.

Re: End state and private capitalism. (3, Interesting)

DaMattster (977781) | about 2 months ago | (#47688105)

In an ideal world we would be a bunch of smurfs helping each other out when needed. However, this would simply be utopian. This lifestyle might work for small communities of 5-25 people where everyone is dependent upon each other for friendship, socialization, and survival.

Re:End state and private capitalism. (1)

Anonymous Coward | about 2 months ago | (#47688131)

In order for a country to provide a basic income, without itself going bankrupt, it would need to keep the number of citizens from rapidly rising.
When you look at how high the stakes are, it should be clear that basic income is only viable if excessive reproduction and illegal immigration were both capital crimes.
Something to think about when you propose basic income as a solution.

Re:End state and private capitalism. (1)

Imrik (148191) | about 2 months ago | (#47688211)

Excessive reproduction isn't really a problem in countries with relatively high standards of living, lack of reproduction is closer to being a problem.

Illegal immigration wouldn't be a problem if the basic income were only provided to citizens. Especially if it meant that jobs paid considerably less.

The bigger problem is paying for it. Since workers wouldn't need to be paid as much, employers would be the likely targets. However, taxing by headcount would result in under-the-table employment. Taxing by income would be bad for companies with few employees as they wouldn't be able to take advantage of the savings.

End state and private capitalism. (-1)

Anonymous Coward | about 2 months ago | (#47688179)

May I visit your house? I want to see if you might have more than I do, and if so, I'd like to have it so we can be equal. Please let me know when I can drop by. Thanks.

Re:End state and private capitalism. (-1)

Anonymous Coward | about 2 months ago | (#47688203)

Universal basic income for all. You enjoy something? Do it for the sake of achievement. What happened to doing things just because they are hard?

This is stupid at an epic level. Don't force people to work for a living, let them do what they enjoy!

That's brilliant: We'll have millions of professional skateboarders, musicians, basketball players and a sommelier on every corner.

But nobody to pick up the garbage - do you really think people want to ride around on a smelly garbage truck all day for their own personal fulfillment? Or how about replacing the pumps at a sewage treatment facility? Heck, even writing code - sure there are plenty of people on slashdot who would write code for free just for their own personal enjoyment.... they just wouldn't go to their current job at Xcorp to do it. So we'd have more indie games and media center apps, but who would program the embedded systems in the lift pump system that keeps Florida from being underwater? Or automate the warehouse inventory control system as a subledger to the GL?

In short, what do you think you are going to do with your free basic income? What are you going to buy with that money when nobody is making anything for you to buy?

I suppose you aren't abolishing compensation, just making it so that there is a base income level. Which means every job must be compensated significantly above the base (or you wouldn't do it). Which means that the cost of goods would quickly escalate to chase the new labor market until the "base income" was no longer liveable.... or you'd just keep elevating the base in a sisyphean task of ever-escalating inflation.

Re:End state and private capitalism. (2)

jbengt (874751) | about 2 months ago | (#47688351)

. . . but who would program the embedded systems in the lift pump system that keeps Florida from being underwater?

You say that like it'd be a bad thing.

Re:End state and private capitalism. (1)

retroworks (652802) | about 2 months ago | (#47688227)

And we reduce resource consumption as well for the sake of achievement? Keep in mind that cost savings have driven most of the conservation as well as most of the extraction of earth resources. Risking capital investment for the sake of achievement isn't something many would buy into.

Re:End state and private capitalism. (0)

Anonymous Coward | about 2 months ago | (#47688313)

Humans are a whole loadda tabula rasa.

No they aren't. Not even close. Kids come out largely as they will be. I have 4 myself. They are all great kids. We raise them to be good citizens and just good people in general. My wife uses her doctorate in sociology to help "at risk youth", so she is adamant about teaching empathy for others and service to those less fortunate.

But they are pretty much who they are when they are born. You can nurture them in a certain direction, but they are not going to change their core personality no matter what you do. At least not for the better. All of our kids are great kids, top students with lots of friends and volunteer in the community. But they are also very different. Two are alpha dogs who *must* be in control. Bossy is the word you would use. They didn't get that way because we trained them - they were born that way. Teaching them when to suppress that urge is an ongoing battle. One of their brothers is a born lieutenant. He would never be bossy. The other could go either way, depending on what the situation required.

And pretty much every kid is going to take advantage when they can. Even our super-nice pleaser who is always trying to help others and would give you the shirt off his back. The same kid who will give away all of his candy to his friends will try to trick his sister into giving him her candy if the mood strikes.

In fact, kids are a great example of what "free basic income for all" teaches you. They don't understand that things cost money, and that money is hard to get. They don't worry about breaking something because you can just go get another one at the store. These are the things that you have to spend years teaching a kid - work ethic, personal responsibility, etc. They are born with the notion that everything is theirs and the world is centered on them. This changes as they grow and develop, but the default state is not an absence of greed and selfishness.

Dead as a profit source for Symantec, well, ... (4, Insightful)

fraxinus-tree (717851) | about 2 months ago | (#47687905)

Dead as a security layer - not really. Also not dead as a profit source for other companies.

Re:Dead as a profit source for Symantec, well, ... (5, Insightful)

fraxinus-tree (717851) | about 2 months ago | (#47687917)

p.s. it is perfectly viable for a literate individual to not use an antivirus. It is also possible to not use AV on a PC in a corporate environment, but it has its implications. Then again, on a mailserver, a non-intrusive AV scanner (i.e. not adding 7 lines of bullshit at the end of every legitimate email) has a pretty good hassle-to-benefit ratio.

Re:Dead as a profit source for Symantec, well, ... (2)

goarilla (908067) | about 2 months ago | (#47687937)

p.s. it is perfectly viable for a literate individual to not use an antivirus. It is also possible to not use AV on a PC in a corporate environment, but it has its implications. T

I think using the OS supplied security controls the Windows Vista/7/8 family provides: Applocker/SRS, Group Policy, App-V
is preferable to running antivirus in an OR scenario. It's also a lot more complicated.

Re:Dead as a profit source for Symantec, well, ... (4, Interesting)

swb (14022) | about 2 months ago | (#47688261)

I have a small client that hasn't run anything more than Microsoft Security Essentials for three years, mainly because they don't want to spend the money.

So far, I've only had to rebuild about 3 PCs in that time frame due to infection. They also got hit by crytolocker but at a weird time where it just made sense to reload the share directories from a recent backup because there hadn't been any changes to worry about between infection and last backup.

The controller feels that this is more or less an acceptable trade-off over time -- my labor cost to rebuild the PCs vs. the ongoing cost of AV.

Re:Dead as a profit source for Symantec, well, ... (4, Interesting)

Cyberdyne (104305) | about 2 months ago | (#47688349)

The controller feels that this is more or less an acceptable trade-off over time -- my labor cost to rebuild the PCs vs. the ongoing cost of AV.

They are probably right there - of those 3 rebuilds, how many do you think would have been prevented by paying more for any given AV product? Thinking back, I can remember several PCs needing recovery work because of the AV system in use (good old McAfee pulled down an update which declared a piece of Windows XP itself to be malware and need deletion - leaving a machine you couldn't log in to until that file was reinstalled), and probably two nasty infections for me to clean, which got in despite McAfee being present with fairly paranoid settings.

Re:Dead as a profit source for Symantec, well, ... (2)

blippo (158203) | about 2 months ago | (#47687945)

Since the industry managed to turn against the users and trust only the media industry, the "trusted computing" solution is not a viable option.

Othervise, it would have been nice to allow only certain binaries or software developers/publishers to run. It would also be nice to sign the binaries
and not allow changes.

Since the user seems to be the least trusted element, and that it seems that I have to blindly trust 200+ root certificate signers when using the web,
there is no use in pretending that there exist any computer security at all. Anyone that is motivated enough will be able to run an executable on your machine.

Re:Dead as a profit source for Symantec, well, ... (2)

Cyberdyne (104305) | about 2 months ago | (#47688447)

Othervise, it would have been nice to allow only certain binaries or software developers/publishers to run. It would also be nice to sign the binaries and not allow changes.

That would be less help than you might expect (although OS X does do exactly this by default now). Remember all those Word macro viruses of a few years ago? Totally unaffected: it's a genuine copy of MS Word that's running, it's just doing something it really, really shouldn't be. Likewise any browser exploit. Trojans have always relied on the user to execute - and in general, they will execute them, whatever dire warnings you may put in place, unless you can give them a totally locked down system (which, even in a strict corporate setting, is often politically impossible). In a University setting, I've had very senior academics call me up with "I can't open this CampusLife.pdf.exe file someone sent me ... and it won't open on my secretary's PC either." Of course it was malware - but any computer restrictions to prevent that would probably have resulted in unemployment rather than a more secure PC. Telling people at the top of the food chain "you aren't allowed to do that" just won't work. (Fortunately, opening that particular worm did nothing anyway - it either relied on Outlook, or having outbound port 25 open, neither of which applied at that time.)

Ultimately, for anything more than the most limited functionality, you will have security holes - just like you will get hard drives and power supplies failing, keyboards and mice getting choked up with gunk. Reduce the risks where it makes sense (RAID and redundant PSUs for servers, good patch management, sensible firewall settings) and then deal with things that go wrong effectively when it does happen (spares, backups, etc).

Like real life, take sensible security precautions - but going too far can do as much harm as having poor security. Do you drive everywhere in an armored vehicle with armed escorts? Unless you're POTUS or equivalent, that would just be silly - I seem to recall there have been cases of people dying after getting trapped in "panic rooms" after false alarms, because medical help couldn't get to them in time! So, don't be the computer equivalent: blocking attachments entirely is secure, but is it useful?

Incentive Bug Finding (2, Interesting)

Anonymous Coward | about 2 months ago | (#47687913)

What are virus writers looking to get out of writing malware? Money? Fame? Absolute Power?? Well neither of the last two are ever going to happen.

We should incentivize the reporting of bugs... Getting recognition as being a prolific bug finder, and fixer in a positive light would be a start. Also being paid is another avenue. Optional fame, and a steady reliable source of money would be very appealing to most people.

Am I just being naive?

Re:Incentive Bug Finding (4, Interesting)

Opportunist (166417) | about 2 months ago | (#47688049)

Money. Simple as that.

I've been on the "other side" of the security business for a bit over a decade now. I'm not really earning pocket change, but it's by some margin dwarfed by what the criminal side of our business makes.

Malware is profitable. If you really want to fight malware, you first have to make it unprofitable. As long as it is possible to profit from spam and botnets, it's not going to stop. And since the source of spam and botnets is in countries you can't really reach, while the targets are "here", I guess it's time to start punishing those who are unable or unwilling to keep their computers secure.

Yes, that means punishing the victim. Whereas the victim here is a facilitator for the culprit. It's like leaving your car unlocked and open on the main road and someone using it for a bank heist. I don't know about yours, in my country, if that's your car you're due for facilitating a crime.

Re:Incentive Bug Finding (3, Funny)

IamTheRealMike (537420) | about 2 months ago | (#47688295)

I guess it's time to start punishing those who are unable or unwilling to keep their computers secure.

But as most people just use the tools they're given and can't control how secure those tools are, in practice that would mean punishing computer programmers.

If you want the usage of C and C++ to be considered equivalent to suicide then this would be a great policy to bring about such a world.

what country? (0)

Anonymous Coward | about 2 months ago | (#47688339)

In all the US states I checked it is necessary to "knowingly provide assistance" or similar wording. New York had "believing it probable" your actions would aid a crime. That said, leaving a car with the key in the ignition is kind of like leaving out a loaded firearm for anyone to use. In most places legal, but not the wisest idea.

Switch to linux / OsX. (-1, Troll)

Anonymous Coward | about 2 months ago | (#47687915)

Never seen viruses on Linux. I've been using it for 15years.

Re:Switch to linux / OsX. (5, Informative)

Anonymous Coward | about 2 months ago | (#47687927)

Never seen viruses on Linux.

I have. And that's on desktop GNU/Linux with its ~2% market share. If you look at mobile Linux (Android) the situation is much worse.

Re:Switch to linux / OsX. (-1, Redundant)

Anonymous Coward | about 2 months ago | (#47688039)

Some ignorant guy says viruses don't exist, is modded insightful. Other guy has seen viruses that certainly do exist, is modded troll. Delusional mods are out of touch with reality.

Re:Switch to linux / OsX. (1)

Anonymous Coward | about 2 months ago | (#47688133)

I've never seen a black swan != black swans don't exist.

Re:Switch to linux / OsX. (0)

Anonymous Coward | about 2 months ago | (#47688273)

I've been using for 10 years and haven't seen it either.

Oh, wait, you're one of those ... that installs apps from all kinds of sources and is surprised when something bad actually does happen ...

One question that should've been first. Is your username root by any chance?

Linux's Security (1)

Sanians (2738917) | about 2 months ago | (#47688421)

I've been using for 10 years and haven't seen it either.

Would you even know? Perhaps if it's like Windows malware, where you end up with so much of it that the computer is unusable, but what if you only end up with one piece of malware which is careful to do things covertly?

Ten years ago you may have been able to spot malware with a simple "ps -A" but I don't even look at the output of that command anymore. There's so many processes running on my computer that any of them could be malware and I'd have no idea. ...and that's talking about malware that doesn't bother to hide itself by infecting another executable or at least adopting the same executable name as a daemon that's supposed to be running.

One question that should've been first. Is your username root by any chance?

I'm curious why everyone thinks this matters. The only way I could see it making any difference is if you had a virus scanner, which could then run as root and be immune to any BS that the malware attempted as a normal user. ...but who has a Linux virus scanner? I know there's ClamAV, but I get the feeling it isn't for finding malware in Linux, it's for finding malware in email that passes through Linux. So what exactly do you prevent malware from doing by not allowing it access to the root account? Does it prevent it from accessing the internet to send spam? Does it prevent it from recording your keystrokes and sending them to someone else? Does it prevent it from accessing your microphone and bugging your house? Last I checked, I could record audio without 'sudo' and so I'm pretty sure a non-root piece of malware could do it too.

Telling people not to run processes as root is just ignoring real security solutions. Every application should be sandboxed, no matter what it is. For example, when I use a word processing application, why should it be able to read/write any file anywhere on my hard disk that I'm allowed to access? If it wants to read or write a file, it can make an API call that brings up a file open/save dialogee provided by the OS, which ensures that I'm giving it permission to access the files it reads or writes. As for storing settings and other random bits of data, the OS can provide it with a folder on the filesystem it has free access to, but to access anything outside of that, it needs to use the API for the file open/save dialogue. With this kind of security, you can open documents with all kinds of stupid scripting that takes over the entire application, but it's largely stopped right there, and can't access anything on the computer that you don't give that application permission to access. ...and it's all entirely transparent to the user, because they already open/save their files via a file open/save dialogue provided by the OS. The only thing that changes is that the open() system call is limited to a specific directory for each application to store it's settings/history data in. Very few applications need that sort of free access to the computer, and essentially all of them are provided by the OS itself, like the basic file manager, file archive/compression tools, etc. So it'd be easy to do, it'd provide real security, and yet rather than do that, all we do is tell people "as long as you don't run as root, you'll be perfectly secure" as if that makes any difference at all.

I mean, just imagine how secure Adobe Flash would be if it were sandboxed such that all it can do is get the web browser to perform HTTP requests on its behalf, and output audio and video? What would any exploit for it be able to do, besides make HTTP requests and display audio and video? ...but that's not how our computers work. For some reason our OSs allow applications we run to do anything at all that we ourselves are allowed to do on our computers, and everyone thinks that's not a problem.

If any modern OS had real security, you'd be able to download malware intentionally, run it just like you'd run any other application you want to use, and still remain safe since the malware would be unable to access anything you don't want it to access.

Re:Switch to linux / OsX. (5, Insightful)

Der Huhn Teufel (688813) | about 2 months ago | (#47687941)

Which will last exactly as long as it isn't profitable to make a virus for it. If everyone swapped to a certain distro of Linux, I'd be willing to bet you'd have major problems within a week.

Re:Switch to linux / OsX. (2, Interesting)

Anonymous Coward | about 2 months ago | (#47688193)

Which will last exactly as long as it isn't profitable to make a virus for it.

If everyone swapped to a certain distro of Linux, I'd be willing to bet you'd have major problems within a week.

This old Trope again; completely belied by the facts that:

  • MacOS which was not so popular was one of the major virus problem OSs
  • OSX, which is much more popular, gets almost no viruses whilst
  • Google default Android which is much more popular than Windows get's practically no viruses whilst
  • Chinese Android clones, which have a smaller market than mainline Android Get lots and
  • iOS whicuh is more popular than that, gets practically none

There are several major things;

  • does the OS run "default secure" like Ubuntu, RedHat, Android and iOS where only verified software is installed and there won't be servers running on a normal user install. - if yes you tend to be okay - if no, ike Windows and Chinese Android, you tend to lose
  • does the vendor keep backdoors into the system like Windows Update and ActiveX or do they treat security flaws as bugs and fix them no matter what - like most BSD and Linux variants
  • does the vendor blame the victim - like UAC or do they just block stupidity and, for example, require the admin to do command line security disabling for special cases - like Red Hat Enterprise Linux and OpenBSD

Each of these are deisgn differences and the problems come down to commercial choices by Microsoft to increase their profit at risk their own user's safety. Microsoft invented the executable email attachment making email spreading viruses, previously thought of as just a joke, a reality. Note, that these are not technical problems. The Windows NT kernel, a design copied from VMS, is a perfectly fine base for security. What is needed to get rid of viruses is to start to see competing companies who actually care about their users and not just the lockin and immediate profit they can extract from those users.

Re:Switch to linux / OsX. (0)

Anonymous Coward | about 2 months ago | (#47688205)

It already is profitable.

Getting a linux PC onto a botnet is far more useful than windows because they generally have more bandwidth and processing power available

Re:Switch to linux / OsX. (5, Insightful)

swillden (191260) | about 2 months ago | (#47688275)

Which will last exactly as long as it isn't profitable to make a virus for it. If everyone swapped to a certain distro of Linux, I'd be willing to bet you'd have major problems within a week.

Actually, compromised Linux systems are in high demand because they make great botnet command and control servers. They're far more valuable than a compromised Windows box.

Also, the assumption behind your assertion is easily demonstrated to be untrue. MacOS had major virus problems, in spite of being much less popular than Windows. OS X has almost no viruses, in spite of being much more popular than MacOS. Android is a great case study: The dominant Android versions, using the Google Play store only, have no significant virus problems, while the much, much less popular Chinese devices have lots. iOS, of course, has basically none, and it's a far more attractive and profitable target than Chinese Android devices. It's less popular than mainstream Android, but given the demographics of the platforms is probably more attractive.

Market share has basically nothing to do with vulnerability to malware.

Re:Switch to linux / OsX. (0)

Anonymous Coward | about 2 months ago | (#47687971)

I've seen malware kernel modules on Linux. That was 12 years ago.

Re:Switch to linux / OsX. (4, Interesting)

Opportunist (166417) | about 2 months ago | (#47688059)

Mostly 'cause it's not profitable. Too small a market. Same reason why business software is rare for Linux (desktop, at least): No market.

As for "but it's more secure because you don't need root for every shit": The current big thing, cryptolocker, would work just as well on Linux. It needs no special privileges, all it needs is to run as the current user to encrypt all of the current user's documents and hold them for ransom.

I don't want to start the flamewar of whether Linux is more secure than Windows. Mostly because it does not matter jack. Linux could be the most insecure OS on the planet and still Windows would get the bigger share of malware. Simply because it is the bigger market.

cryptolocker solution (1)

John_Sauter (595980) | about 2 months ago | (#47688191)

... The current big thing, cryptolocker, would work just as well on Linux. It needs no special privileges, all it needs is to run as the current user to encrypt all of the current user's documents and hold them for ransom....

There is a solution for this class of malware, but it isn't anti-virus. Since cryptolocker only damages user data, the operating system should provide a secure and automatic backup of the user's data. Any time a user's file is changed, the new version is recorded on the backup, with its date. From the user's point of view, the backups are read-only, so malware can't damage them, and the user can retrieve an old version of a file at any time.

Re:cryptolocker solution (2)

redback (15527) | about 2 months ago | (#47688315)

Windows does basically this. Volume Shadow Copy Service.

I have used it to recover machines from cryptolocker.

Re:Switch to linux / OsX. (1)

el_chicano (36361) | about 2 months ago | (#47688357)

As for "but it's more secure because you don't need root for every shit": The current big thing, cryptolocker, would work just as well on Linux. It needs no special privileges, all it needs is to run as the current user to encrypt all of the current user's documents and hold them for ransom.

Hmmm... You have a regular user called user who has their docs in /home/user. You surf the web with a different user, say webuser, who has their docs in /home/webuser. If webuser is dumb enough to run a script that encrypts /home/webuser what has the hacker accomplished?

They haven't touched anything in /home/user. You can log in as root and run: 'rm -rf /home/webuser' then 'mkdir /home/webuser'. Copy a few files from /etc/skel then run 'chown -r webuser:webuser /home/webuser' and you are back in business. Or you can run 'userdel -r webuser' and 'useradd-d webuser' and you are good to go.

Either way whoever encrypted webuser's files just wasted their time with very little to show for it as the problem can be easily fixed by you at the cost of just a couple of minutes of your time.

Also just about every Linux user I know has good backups of their documents. If you happen to be stupid enough to get your home directory encrypted and you don't have good backups then you probably shouldn't be using a computer much less using Linux.

I don't want to start the flamewar of whether Linux is more secure than Windows.

Yeah right. Every single racist I have met has told me "I am not a racist". Just because someone claims something is true that does not necessarily mean that that something is actually true.

Whitelisting and whitelisters (1)

Anonymous Coward | about 2 months ago | (#47687919)

Whitelisting already works pretty well.
As much as people like to bash Windows, I'd estimate that 99% of malware can be avoided if the user knows what he's doing. (It's not just not running sexy_babe.avi.exe, but also not installing the Java browser plugin, for example.)

As long as the OS leaves the user freedom to install software, malware is inevitable. And that's fine by me. For the rest, the best solution is "centralized whitelisting" done through an app store, as practiced in iOS, WP and such.

Re:Whitelisting and whitelisters (1)

thogard (43403) | about 2 months ago | (#47687955)

Microware OS9 running on a radio shack color computer in 1984 had module white listing. It used CRC but it was a step in the right direction. Too bad it took Microsoft decades to catch up.

Whitelisting and whitelisters (1)

Anonymous Coward | about 2 months ago | (#47688021)

Actually, OS X's system is even better than that. It has a setting allowing only white-listed apps from the store, a setting allowing only apps signed with an Apple-supplied certificate (everybody can get those, but they can and are quickly and easily revoked), and a setting allowing everything. The default is (currently) the middle level, probably moving on to the strictest.

Sandboxing (4, Interesting)

OpenSourced (323149) | about 2 months ago | (#47687951)

I'd say security in the future will converge on three lines:

a) Sandboxed browsers/apps: Different browsers for mail access, general browsing and sensitive browsing (banking, using credit card, etc). All browsers revert to base state after closing, or allowing just a limited set of changes (bookmarks, cookies). The browsers are possibly stored in a USB stick with a physical write protection switch for part of the storage.

b) Trust structure: The OS will only execute programs with a certain signature, based in a chain of trust. You can choose who to trust or not.

c) Closed devices: (See Apple iPhone and iPad, but with paranoid-mode).

Well implemented, these strategies can reduce the malware threat, and they are implementable with current technology. I really don't see the anti-virus surviving much. It's an after-the-fact tech that was born as a patch for systems unprepared for a new threat. The playing board is now set and the structure of the systems must change to reflect that.

Re:Sandboxing (2)

AmiMoJo (196126) | about 2 months ago | (#47687977)

c) Closed devices: (See Apple iPhone and iPad, but with paranoid-mode).

That sounds horrible. We need to find a way to have security and openness, so that people can control their own devices. Personally I like Cyanogen. It gives you very fine grained control over app permissions and allows you to take or leave interaction with Google.

Re:Sandboxing (4, Insightful)

Opportunist (166417) | about 2 months ago | (#47688063)

That is actually the problem. You cannot have both.

EITHER you only allow execution of programs that are explicitly whitelisted by some authority. Whatever authority that may be. A corporation, the state or you (respectively whoever happens to be your admin). Then you can be certain that only stuff that had the dead chicken waved over will run.

OR you allow the user to determine what to run. Then there is literally NOTHING any security concept can do to avoid a disaster. I'm all for this approach, believe me, but what blame could you put on the OS when it keeps telling the user that it's NOT a smart idea to run happy_funny_kitten.avi.exe and the user insists?

Re:Sandboxing (0)

Anonymous Coward | about 2 months ago | (#47688145)

Extremes, always the solution.

Re:Sandboxing (3, Insightful)

AmiMoJo (196126) | about 2 months ago | (#47688341)

Agreed, but we don't need perfect security. We just need really good security and moderately careful users. I know, that's easier said that done, but I like the Android option of defaulting to just the carefully managed Play store and with Google having the ability to remotely delete apps (even if side loaded), while still giving power users the option to do what they like.

Saw similar posts before the web existed (4, Insightful)

dbIII (701233) | about 2 months ago | (#47687989)

I saw similar posts before the web existed, let alone Slashdot. A policy of "allow all" was seen to be easiest so the malware problem persists despite all the lessons of the past and good advice like the above.
Java was supposed to be sandboxed entirely with zero chance of malware getting to anything other than it's own litter tray. Look how that turned out when it was seen as all too hard and compromises were made. Then there's the opposite that was born stupid, things like Active-X from MS that were such a stupid idea that a librarian (not a programmer) was telling me how stupid it was before launch. Then things like allowing execution of arbitrary code in images, another case of MS fucking up in a truly astonishing way - how the hell do things like that end up as anything other than SF novel plot points in a large corporation that is supposed to be competantly managed?
The answer as always is to learn from the lessons of the past instead of throwing together a pile of bits that look software shaped and rushing it out the door.

Re:Saw similar posts before the web existed (4, Insightful)

NoNonAlphaCharsHere (2201864) | about 2 months ago | (#47688069)

Much as I despise posts that start with "this", I have to agree. Until Microsoft loses their fascination with whizzo shit like displaying (i.e. running) unexamined/foreign stuff as "previews" and confusing that with "interoperability", the problem will persist. They've never gotten it through their heads that all this "seamless" wonderfullness that looks so great as 2-minute demos in developer conference rollout keynotes cause unending grief for decades to come. Sometimes other companies fall prey to this kind of thinking (Firefox toolbars), but they learned it all at the feet of the masters, with Outlook previews and Word macros, and Explorer running code from .bmp files when you visit the directory... And then, of course there's IE, the crack whore of the industry, who'll have unprotected sex with ANYTHING.

Re:Saw similar posts before the web existed (2)

benjymouse (756774) | about 2 months ago | (#47688271)

Java was supposed to be sandboxed entirely with zero chance of malware getting to anything other than it's own litter tray. Look how that turned out when it was seen as all too hard and compromises were made.

The big problem with Java is that it requires quite a bit of C "glue" code to interface with the underlying operating system. The glue code necessary is often quite complex too, since it has to contend with issues such as the VM rearranging objects (thus glue need to "pin" the objects), garbage collection using a mark-and-sweep (thus the glue code need to make sure objects do not "dissapear" during the call), strange memory layout, multithreading/cpu cache issues etc, etc.

So while from the Java developer things may look simple, copious amount of complex glue code is need with all the traditional opportunities for security bugs.

There are probably more explanations than how the language runtime integrates with the OS, but the comparable .NET Framework seems to fare *a lot* better

Then there's the opposite that was born stupid, things like Active-X from MS that were such a stupid idea that a librarian (not a programmer) was telling me how stupid it was before launch.

ActiveX controls on the web was a stupid idea. Faced with the threat of Java applets, Microsoft decided to take a sound (and efficient) binary standard from the OS and put it on the web. The big problem with ActiveX is that from the OS perspective (at least until Windows 7) it is but binary code executing under the user account.

Imagine a system where you do not have sufficient control over what a process can do (because it is binary code executing directly against the OS), so instead you try to limit who can use what binary code - and under which circumstances. But once the code executes it acts as part of the host process. That actually works until some sneaks in malicious binary code, or - more likely - someone finds a memory corruption bug or finds a way to use the binary code in ways not intended by the developer.

That is putting a lot of trust in 3rd party developers, trusting that they do not have malicious intent and that they are actually competent and that proper quality assurance processes are in place. That turned out to be a stupid thing to trust (contrary to popular belief there has been precious few vulnerabilities in the ActiveX implementation itself - it was always the ActiveX controls -mostly 3rd party - that had vulnerabilities).

However, the idea behind whitelisting ActiveX controls was not new. It had been tried before (albeit not on the 'net), with similar results in terms of vulnerabilities, exploits and system compromises. To this day SUID/setuid is the most stupid intentional security weakness in the *nix security model, simply because - like with ActiveX - the permission structure is otherwise not capable of meeting simple, legitimate requirements.

Then things like allowing execution of arbitrary code in images, another case of MS fucking up in a truly astonishing way

I believe you may be confusing something here. When there is a vulnerability where a jpeg can "execute arbitrary code" it is *not* intentional. It is usually down to a memory corruption bug (such as buffer overflow), i.e. it is *unintentional*. I don't believe MS has made any image format with intentional capability to execute arbitrary code. If you have information to the contrary, then please cite source.

If you are insinuating that it is only MS who can make mistakes in image processing code, you should tread carefully. Compared to the typical open source libraries (libxml, libtiff, libpng et al) MS has had precious *few* vulnerabilities.

The answer as always is to learn from the lessons of the past instead of throwing together a pile of bits that look software shaped and rushing it out the door.

Yes. But if you want to learn the right lessons you must be careful to perform an unbiased analysis. Otherwise your results will have absolutely zero value towards avoiding similar situations in the future. Your petty attempts at laying this at the door of MS is an example of this. If - in your mind - the problem is simply MS, then you are overlooking the real problems. Ask yourself this: Why is it that it is only MS who has not had a *major* bug in their SSL implementation? (hint: MS SDL outlaws the use of the exact C library functions that were behind Heartbleed, so MS actually has a process in place where they analyze previous vulns and improves the guidelines for future development so that they can avoid *similar* mistakes).

Re:Saw similar posts before the web existed (0)

Anonymous Coward | about 2 months ago | (#47688337)

Heartbleed had nothing to do with C library functions.

It had to do with using an untrusted variable for determining data length...

"I don't believe MS has made any image format..." (0)

Anonymous Coward | about 2 months ago | (#47688347)

Not necessarily image formats, but they DID do that with the word formats.

Re:Sandboxing (1)

Anonymous Coward | about 2 months ago | (#47688033)

I already sandbox most things I run now.

Sandboxie is a godsend for this. So easy to use as well. And if you actually browse in the sandbox in, say, explorer, you can't accidentally run something outside of a sandbox since it gets run inside the sandbox regardless of where you launch it.

Another really useful side-effect of how it works is you can make pretty much any program portable.

No noticeable slowdowns either.
I've even played complex RTS games in it, graphically intense games. (hell, I've even done that in Truecrypt before)

Re:Sandboxing (1)

jbmartin6 (1232050) | about 2 months ago | (#47688141)

There is a lot of work being done now on behavioral analysis, with some products like Invincea and Cylance based on this idea. From the limited testing that I have done with them, they seem pretty effective. Of course, malware authors could just start changing their behaviors to avoid these tools, but if malware doesn't act like malware anymore, it stops being malware. And of course you forgot reputation services like those already being implemented by browsers and OS vendors. These force malware users to keep moving their sites and C&C around, making it just that much harder. Which is a good thing. Today, what we call "antivirus" is already using these two approaches to some extent.

Re:Sandboxing (0)

Anonymous Coward | about 2 months ago | (#47688361)

"malware authors could just start changing their behaviors to avoid these tools, but if malware doesn't act like malware anymore, it stops being malware."

Wrong.

It is malware if it does things that the user does not want. It doesn't matter WHAT the behavior is.

It works (0)

Anonymous Coward | about 2 months ago | (#47687957)

I happen to work in a company with roughly 5000 employees, all with antivirus installed. About 30% of the work force are on customer sites, use flash drives and connect to customer networks all the time. In short, it's a potential horror story.

We keep detailed statistics about the health of each system, and while I won't disclose which antivirus solutions we use (it's mainstream), I can tell you they do important work for the 30% that's exposed to "hostile" environments as they quarantine about 10 virii per month.

Re:It works (1)

goarilla (908067) | about 2 months ago | (#47687963)

What happens when said AV solution quarantines svchost.exe ?

Re:It works (4, Informative)

Cyberax (705495) | about 2 months ago | (#47687975)

Pedant mode: the plural of "virus" is "viruses". If you /insist/ on using Latin then it should be "vira", since it's a neuter noun in the second declension. Though we don't have any actual examples of such use in contemporary sources.

Re:It works (1)

ruir (2709173) | about 2 months ago | (#47687995)

30% of the known viruses, and there lays one of the countless problems.

Stockholm syndrome (4, Interesting)

Torp (199297) | about 2 months ago | (#47687965)

Let's translate the OP's question:
I have this insecure by design environment, while there are more secure by design environments available (yeah, probably not completely secure, but much more secure than what I'm using now). I'd like to patch my grossly insecure environment to get at least an illusion of security instead of considering the alternatives.

Re:Stockholm syndrome (0)

Anonymous Coward | about 2 months ago | (#47688061)

What are these more secure by design environments you are talking about? What about the design makes them more secure? More secure than what?

Re:Stockholm syndrome (0)

Anonymous Coward | about 2 months ago | (#47688301)

In the past there were some few so called capability based systems.
Most of them were research projects but the AS/400 was partly based on that concept and seems to have been a pretty secure system.
IIRC there was also a computer system for some british radar system based on the capability model (now defunct).

I forget where I read it, but I saw a reference to capability-based security models being provably secure (if done right) while for the security measures used in commodity systems it was unknown, if they ever could be made truely secure (even assuming no errors are made in the implementation).

There was a recent slashdot post about the CHERI project that seems to bolt on capability-security onto a commodity chip design http://hardware.slashdot.org/story/14/07/16/1218238/sricambridge-opens-cheri-secure-processor-design/insightful-comments
This approach might be what's needed to get actual security into mainstream systems.

Re:Stockholm syndrome (0)

Anonymous Coward | about 2 months ago | (#47688195)

Let's translate the OP's question:
I have this insecure by design environment, while there are more secure by design environments available (yeah, probably not completely secure, but much more secure than what I'm using now). I'd like to patch my grossly insecure environment to get at least an illusion of security instead of considering the alternatives.

Your translation is meaningless without specifics. What more secure by design environment are you referring to that would avoid fx Cryptolocker, one of the current most successful Windows malwares (hint: it runs happily in user space with normal user privileges).

Re:Stockholm syndrome (1)

reikae (80981) | about 2 months ago | (#47688197)

It's likely that security isn't the OP's main concern. It rarely is.

Pining for the fjords (4, Funny)

rossdee (243626) | about 2 months ago | (#47687979)

Its not dead, its just resting.

Re:Pining for the fjords (1)

stonedead (2571785) | about 2 months ago | (#47688143)

Disagree. It is stone dead.

Re:Pining for the fjords (0)

Anonymous Coward | about 2 months ago | (#47688255)

It's HTTP 404.

Cause: hardware and OS makers? (0)

Anonymous Coward | about 2 months ago | (#47688023)

To put it bluntly, the hardware and OS makers have "banded together" to make it impossible to create an easy solution to this problem: a read-only OS.

I have not seen any harddisks with a physical* read-only switch on them (even USB sticks with them are hard to find these days) and the Windows OS has been created in such a way that makes it near to impossible to function from such an read-only drive.

*Software solutions to this extend are not worth their development time. To easy to tamper with.

Re:Cause: hardware and OS makers? (1)

Opportunist (166417) | about 2 months ago | (#47688071)

That would be a veritable nightmare. Not to mention that contemporary OSs would need a total rewrite to even come close to working with this idea.

Re: Cause: hardware and OS makers? (0)

Anonymous Coward | about 2 months ago | (#47688075)

Hardware is too soft for physics

Just say NO! (0)

Anonymous Coward | about 2 months ago | (#47688025)

To Javascript or anything THEM can run against US.

No, you don't need AV, even on Windows (3, Insightful)

davmoo (63521) | about 2 months ago | (#47688065)

The most important piece of equipment for computer security is the one positioned between the chair and the keyboard. Learn to not click on stupid shit and its entirely possible to remain virus and malware free. I don't run AV software and I've never had a virus or malware on any Windows machine that I didn't purposely infect to see what happens (I work in IT, I'm expected to know that kind of stuff, so I have a machine specifically for the purpose of infecting :) ). And I run Windows almost all the time on my main daily-user machines (I run Linux on a couple of personal servers.) My just-barely-computer-literate 76 year old mother also does not run AV software, and has never had a virus or malware...and various flavors of Windows is all she's ever used.

Yes, Microsoft needs to do a better job on security. But saying its a Windows problem is a polite way of saying 90 percent of computer users are too embarrassed to take responsibility for their own stupidity.

Re:No, you don't need AV, even on Windows (0)

Anonymous Coward | about 2 months ago | (#47688093)

I agree. I've fixed countless infected PCs of friends and family. I've been on the internet since the late 1980's, but have yet to infect my own equipment.

I tell everyone don't click stupid sh1t, but they seem compelled.

The analogy would be spam email. If nobody ever replied or clicked links in spam, the spammers would have no incentive to keep sending the spam.

Re:No, you don't need AV, even on Windows (0)

Anonymous Coward | about 2 months ago | (#47688101)

Why waste your time telling people not to click stupid shit. Might as well try to convince people to stop fucking.

Re: No, you don't need AV, even on Windows (1)

DaMattster (977781) | about 2 months ago | (#47688119)

What happens if you receive an email with malware attached that activates simply when it downloads off of the server to your mail reader application without you actually opening it? I've seen this happen before. How do you know for certain that you DON'T have a virus? It is possible for legitimate websites like CNN or The Weather Channel to develop an infection and pass it to tend user.

Re: No, you don't need AV, even on Windows (1)

jbmartin6 (1232050) | about 2 months ago | (#47688147)

What mail reader in this day and age automatically activates malware? It's been a long time since outlook had any issues like this since Microsoft figured out that 'active content' was a very bad idea.

Re: No, you don't need AV, even on Windows (2)

davmoo (63521) | about 2 months ago | (#47688177)

Unread email never touches my machines. I read email via the web. Anything I want to save is then invited on to my machine. Ad servers used by sites like CNN and The Weather Channel are blocked in my HOSTS. Anything that requires a 3rd party extension to run inside Chrome requires my explicit permission to start. And those are things even a total n00b can do.

Oh, and here's the number one way I tell people to avoid spam and malware. I **NEVER** **EVER** install browser toolbars. In fact, when someone calls me to have me fix their machines after they've been infected with something, I automatically charge an addition $20 for every browser toolbar I find. If I've cleaned their machines before and warned them about toolbars, the additional charge goes up to $40 per toolbar.

And if I've caught a virus or malware somewhere, then it never did anything nor did it ever "phone home", cause me problems, encrypt my files, delete my files, screw up my display, increase my bandwidth, etc and so on. And I have yet to see an actual virus or malwar that had the intended purpose to do absolutely nothing.

Re: No, you don't need AV, even on Windows (0)

Anonymous Coward | about 2 months ago | (#47688165)

I agree end-user behaviour is an important factor. Yet the way the operator Belgacom was compromised suggests it's not necessary to click stupid things. When the culprit compromises key infrastructure you can't trust anything you click on (even a linkedin profile). So we still need something to inspect what we're downloading, and it needs to be a lot smarter.

Re:No, you don't need AV, even on Windows (1)

Anonymous Coward | about 2 months ago | (#47688233)

The most important piece of equipment for computer security is the one positioned between the chair and the keyboard. Learn to not click on stupid shit and its entirely possible to remain virus and malware free. I don't run AV software and I've never had a virus or malware on any Windows machine that I didn't purposely infect to see what happens

I often see people claim this, but how do you know? The worst/best of modern malware is invisible to the user, you don't see it in the process list, and it doesn't bog down the PC. In-depth packet analysis of the network traffic is perhaps your only chance of discovering it "manually".

Re:No, you don't need AV, even on Windows (4, Insightful)

Imrik (148191) | about 2 months ago | (#47688241)

While I agree with the general sentiment, it would be more accurate to say that you've never noticed a virus or malware on the machines, rather than you've never gotten them.

Anti-virus applications have always been dead. (0)

Anonymous Coward | about 2 months ago | (#47688117)

Even at the beginning of the "industry" it was obvious that anti-virus applications were useless.

Was there malware in 60s? you bet. Even designed one around 1973 to steal passwords.

How were they handled - by fixing the vulnerability. My password stealer was fixed by requiring the user to do a control C to get the attention of the system. The password stealer could run... but could not trap the control C as it was not the controlling job of the terminal.

No antivirus product can detect the malware that hasn't been seen. If the virus has been seen, then logically the vulnerability being exploited should be fixed. For most systems, creating a patch takes about the same amount of time as it takes to analyze the malware and generate a new signature identity, (which is less time than it takes to develop a "behavior recognition").

No matter what the malware detection system, it ALWAYS lags behind the attack.

The only way to stop malware is to fix the system.

signatures are dead (0)

Anonymous Coward | about 2 months ago | (#47688129)

The point is that many companies still rely on signature technologies which are dead. Comprehensive endpoint protection with reputation and behavioral protection is still very valuable, but underutilized.

exactly as dead as Windows (0)

Anonymous Coward | about 2 months ago | (#47688137)

The more Windows is dead, the more antivirus dies.

Ummm, not at all (5, Insightful)

Sycraft-fu (314770) | about 2 months ago | (#47688139)

Anti-virus is still extremely useful. It is not an end in and of itself, it isn't a panacea that will keep you safe from everything, but it is a useful layer of security. The only true defense that has any chance is defense in depth, layers of security. So that when one layer fails, and they WILL fail there's no perfect security, other layers stop the problem.

AV is a useful layer. It screens for known threats and good AV gets that list updated multiple times per day. So it can flat out stop any known threat from getting on a system. It can scan things as they download, before they execute, and block known threats.

That is useful, particularly against the kind of threats normal users face. They don't usually face highly specialized and targeted threats, they face something that sneaks in through a bad ad in a compromised ad network or the like.

We make plenty of use of AV at work and it has done a great job cutting down on compromised systems, and cleaning up systems that do get compromised (which generally don't have AV). I certainly wouldn't rely on it as the be-all, end-all, but it is a good layer of security.

It's also a pretty cheap one. You can have MSE for free, which has about a 90% catch rate, or for $40ish per year you can get one with a much higher catch rate (NOD32 being my preference). That's not a bad price for a useful layer of security.

Re:Ummm, not at all (2)

DMUTPeregrine (612791) | about 2 months ago | (#47688159)

You also mention one of the most common malware vectors: ads. Especially flash ads. Ad blocking software is security software.

Re:Ummm, not at all (0)

Anonymous Coward | about 2 months ago | (#47688251)

Anti-virus is still extremely useful. It is not an end in and of itself, it isn't a panacea that will keep you safe from everything, but it is a useful layer of security.

Are [syscan360.org] you [funoverip.net] sure? [cmpxchg8b.com]

Re:Ummm, not at all (0)

Anonymous Coward | about 2 months ago | (#47688381)

It only "works" for Windows - which has been the most vulnerable system ever created.

Nobody else.

The others don't need it.

AV (0)

Anonymous Coward | about 2 months ago | (#47688153)

Anti-virus software is unfortunately still needed; even if a user can only mess up their own machine, it's still a huge drain on support resources. At the same time, anti-virus software has completely fucked up the Windows eco-system. We're forced to constantly run a whole cluster of parasite de-celerator applications that constantly just randomly makes other, real work, software fail.

Use Linux (1, Informative)

Dukenukemx (1342047) | about 2 months ago | (#47688157)

The biggest flaw with Windows is it's reliance on antivirus. No matter what computer system I install Windows onto, the antivirus software makes it slow. In some cases the antivirus software is worse than the virus itself.

Just use Linux. Not that nobody writes viruses for Linux, but your chances of getting one is slim. Also distros like Unbuntu/Mint/etc tend to update more then the OS itself. Update Manager will update Java, Firefox, Flash, and everything in between. Windows needs background programs to update the software in your computer, which is why so many vulnerabilities are left exposed in Windows machines.

Re:Use Linux (1)

zwede (1478355) | about 2 months ago | (#47688231)

Posting to undo accidental mod.
It can be debated WHY Linux has almost no viruses, but the fact remains that it is much less impacted. Since you don't need AV on Linux it tends to run faster.

Firewalls, AV, Good practices, Awareness (1)

erroneus (253617) | about 2 months ago | (#47688209)

All of these are necessary and none are a substitute for one-another. And even in concert and combination, they are not 100% effective and never can be.

The fact is, there are people who think the ability to get beyond security measures is tantamount to the "right" to break, enter and utilize. That is the source of the trouble. And until those humans are addressed effectively, there cannot be any progress against the problem. And why isn't that happening? Should be obvious.

With government writing themselves laws exampting themselves from prosecution (and simply ignoring laws, and refusing to prosecute themselves) and business of every kind, everywhere "lobbying" [read: buying] legislation which enables them to legally circumvent personal privacy and security measures while at the same time criminalizing circumvention of playback control measures? Well the picture sure be clear enough. They can't easily go after anyone without potentially offending the people who support them -- their sponsors.

The establishment itself is the problem. The establishment problem is best addressed by a mob of rebellion. Start with simple things: MS Windows for work and Linux/BSD for home. I don't care which flavors of Linux/BSD anyone uses and variety is a great thing -- no one-virus/malware to rule them all. Similarly to "the truth" Open Source will set you free. It's simply harder and less frequent to get malware through in any consistent and predictable way. With Windows and MacOS, consistency and predictability is far greater.

We preach "defensive driving" in motor vehicle traffic. But we ignore it where communications, privacy and data flows are concerned? And of the two, which are presently more important? (Still a contest but it's not about which is "more" important... that's a matter of context)

Shift from blacklists to white lists (2)

Karmashock (2415832) | about 2 months ago | (#47688257)

Rather then looking for and identifying bad software... look for and identify good software. White lists deal with zero days. Set up security so that all unknown code is forbidden. Obviously let the user if they have permissions exempt unknown code from the security. But anything else... no execution.

Include scripts, etc.

Good design (1)

countach (534280) | about 2 months ago | (#47688277)

It seems to me that anti-virus would be a waste of time in a well designed system. Binaries should be protected from modification. Applications with built-in VMs (like browsers) should be secure and with separate memory protection (like Safari). If a vulnerability is discovered in one of these puzzle pieces then the correct solution is to patch the vulnerability. The patch should be provided with the same speed as any upgrade to anti-virus signatures. And if you don't patch a major vulnerability in time... well all bets are off anyway, you can't be sure the virus didn't disable your anti-virus anyway, so you're screwed in any case.

I don't believe I've ever got a virus on my Mac. When I tried to help friends out with their malware on Windows, anti-malware software did a poor job. It didn't prevent infections, and couldn't repair them. My conclusion is you have to stop them at the border with good system design, not with band-aid anti-virus anti-malware.

Wha???? (0)

mark_reh (2015546) | about 2 months ago | (#47688289)

"Or we should all just sit and hope for Microsoft to give us a new Windows with good integrated protection?"

What is there in MS history that would lead anyone to believe that MS could possibly make a secure Windows OS? I am flabbergasted!

Alternatives (2)

Shoten (260439) | about 2 months ago | (#47688401)

There are currently two solid alternatives to traditional AV. Unfortunately, one is not suitable outside of a well-managed (i.e., corporate) environment and the other probably would not work in a full-featured computer environment.

1. Whitelisting: Application whitelisting is really, really effective. There are ways to circumvent it, but that's true of just about any technical security control. The problem with it is twofold: one, someone needs to develop exactly *what* that whitelist is, and the average home user isn't really up to the task. Bit9 (the leader in the space) has gotten around this to some degree with a cloud-based archive of "known good" files and processes, but your standard home user will still run into a lot of things they don't recognize when they install. And what if one of those things is actually an existing infection? Then they will probably add it to their whitelist...or, on the other hand, err on the side of caution and end up breaking valid software on their systems. The odds of them hitting it exactly right are very small. And even then, they have to maintain the whitelist...so if they're taken in by that "YOU NEED TO UPDATE YOUR VIDEO CODEC LOL" popup window, they'll invariably end up authorizing whatever file gets downloaded ("'Trojan_video.exe'...sounds legit to me!") and infecting their system anyways.

2. The "Walled Garden" Model: In a lot of ways, this is like whitelisting built into the underlying OS, with the OS manufacturer being the custodian of the whitelist. This is how iOS works, so it's actually a proven model. There's only been one discovered instance of malware that's slipped into the App Store, and that was easily eradicated with the press of a button back at the Apple mothership. But on the other hand, there are ancillary effects to forcing all devs to go through a single clearinghouse for software. Apple's cut of the profits, and their cut of any revenue passing through any app sold through the App Store, are obvious issues, but the antitrust risk of a PC OS with only one place to go for software is a latent...and larger risk, going forward. One court decision can break the model entirely; if Apple doesn't collect at least some money from developers, then there's no money to support the App Store and the activities around it. But if there's no central authority, then there goes the chain of trust that's necessary to maintain the safety of the OS. And there's complexity in a PC-based OS environment that you don't find in a tablet or smartphone; in the tablet/phone model, each application is an island, separate onto itself for the most part. You don't have browser plugins, underlying execution environments or interpreters (Air, Java, .NET, Python, Perl, etc.).

Either way, the "blacklist" approach doesn't work. It's all fine to point out that other things (firewalls, IPS, etc.) need to be in place, and that's true...but malware is its own threat, and cannot be fully addressed by solutions that only focus on the attack. Applications will have vulnerabilities; railing against this hasn't accomplished anything in two decades. People will make mistakes, or be social-engineered into doing things they should not do. Supply chains will become infected (remember cameras, USB drives, etc. that have come with malware?) and sometimes those mistakes will affect people besides the mistake-maker. So there needs to be a way to address malware itself.

There are two approaches that, while theoretical, also hold promise. The issue is that they are pretty much theoretical; there's no existing implementation of either of them on any scale, or as a deployable off-the-shelf technology today.

3, The Managed Immunological Response: Assume that malware will exist, and somehow get onto systems. Most complex organisms hold pathogens within themselves that are harmful...and in many cases, even contain them in a symbiotic relationship. Eradicate E. Coli from a human's lower GI tract and they'll develop problems, for example...but E. Coli outside of that part of their body causes major issues and is a health problem. Catch a cold, and you'll be sick for a bit...but your body will get over it. This is what some researchers are aiming towards, and the approach shows a lot of promise in theory. But it requires that the OS operate in a functionally different way, a way that does not currently exist. So...yeah, that's a ways off, if it will ever happen.

4, The Sandboxed World: This is where applications are walled from one another...this is another feature of the iOS model. And as with the Walled Garden, the challenges of this grow severely when you move to the PC world. If it's hard to exchange data between your email client and your word processor, you're going to have a hard time getting things done. This is already something of a nuisance in the tablet/phone world. But if you open up access to the file system, then you create an avenue for bad things, and punch holes in the sandbox walls. So I don't know if it can be fixed in a way that would suit PC users, or if, in a lesser implementation, it could support something akin to the Managed Immunological Response model.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?