Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Antivirus Vendors Headed for Court

CmdrTaco posted more than 7 years ago | from the yeah-good-luck-with-that dept.

Security 120

SkiifGeek writes "A showdown between Rising Tech, a Chinese Antivirus vendor, and Kaspersky Lab in a Chinese court could have implications for software vendors that misidentify system files and files from their competitors as being malicious."

cancel ×

120 comments

Sorry! There are no comments related to the filter you selected.

F--- the Chinese Software Company (0, Troll)

tjstork (137384) | more than 7 years ago | (#19788783)

Go Kapersky! One look at the trade deficit says that perhaps all Chinese software ought to be blocked.

F--- the article (3, Insightful)

acidrain (35064) | more than 7 years ago | (#19789055)

Rising Tech announced on the 30th of May that they were planning to sue the Beijing office of Kaspersky for unfair competitive practices (though it isn't known whether this suit was brought to court).

This is a few scraps of slap talk dredged up from the bowels of the net. It isn't even a lawsuit or a comment by a legal professional, let alone an injunction or any kind of legal ruling.

Also, anti-virus software on Windows is so invasive that running two different scanners at the same time is just plain crazy. I imagine root kits and virus scanners do a lot of the same things. They all make a total mess of your OS. And not being a monopoly, I can't see how Kaspersky has an obligation to play nice with others.

Did you read it? (2, Insightful)

www.sorehands.com (142825) | more than 7 years ago | (#19790673)

It refers to the lawsuit [interfax.cn] that was filed on May 19th.

lso, anti-virus software on Windows is so invasive that running two different scanners at the same time is just plain crazy. I imagine root kits and virus scanners do a lot of the same things. They all make a total mess of your OS. And not being a monopoly, I can't see how Kaspersky has an obligation to play nice with others.

I agree, mostly. To have multiple anti-virus or spyware packages running resident is nuts. Running Norton is nuts too.
But running multiple scanners (different times) is not nuts.

Anti-virus software has to have information regarding virii and a package may pick up on it. There are some virii and trojans that use a modified version of Kaspersky to prevent competitors from infecting the same machine.

Don't viruses attack system files though? (-1, Troll)

antifoidulus (807088) | more than 7 years ago | (#19788851)

Some of the more complex viruses invade various system files(the fact that windows makes it easy for them doesn't help). They modify some of the most basic system calls to the point that the virus becomes difficult, if not impossible to remove without reformatting. So how should anti-virus makers deal with infected system files if they aren't allowed to identify them as being viruses?

Re:Don't viruses attack system files though? (3, Informative)

jargon82 (996613) | more than 7 years ago | (#19789611)

It's not just "windows making it easy for them" though, it's the simple fact that nearly every windows users runs as admin. We'll see what impact, if any, vista has on this, but in all previous versions it's been a mixed bag and IMO can largely be blamed on a conflict of various policies within Microsoft.

Consider, documentation on programming for the windows OS, from MS, outlines how to write without requiring admin access and generally speaking recommends this. Microsoft produced software, by and large, does not require admin access to RUN (somtimes, yes, to install, but not run). But all this aside, the accounts created during windows setup are admin and theres no push on the users to not run as admin.

All this combines to make a virus writers life easy: the unknowing users are running as admin because it came that way, the knowing users are STILL running as admin because too much windows software requires it, and only the truly dedicated take the time to get LUA to work. (at least prior to vista)

Re:Don't viruses attack system files though? (1)

kb0hae (956598) | more than 7 years ago | (#19790525)

Hi. There is a distinction that is being missed here. These infected file are not and should not be identified as viruses. They SHOULD however be identified as infected files. If the anti-virus software cannot remove the virus from the file, and/or the file has been corrupted, the software needs to inform the user that the file may need to be replaced, or the operating systen re-installed.

One of the biggest bugs in Winjdows has always been that it has allowed installers etc... to install files to the system folders, and even overwrite files in the system folders. This was a HUGE mistake, that should have been correected long ago! When a program is installed files should only be allowed to be written to folders created for that program. Anytime that any program tries to write files to the system folders, they should be re-directed to the program's own folder, and a coresponding entry in the registry should redirect any attempts of the program to access these files to the file's true location. Also, a warning message should be displayed to the user that the program has attempted to install files into the system folder, and that this is not allowed.

Despite recent articals to the contrary, Vista is NOT secure at all for the average user, because the security "features"are so annoying that the average user turns them off after a very short time. To bad the DRM crap imbedded in Vista cannot be disable so easily!

As to the common practice of an anti-virus program identifying the files of a competing product (that are not viruses nor infected with a virus) as viruses or infected is just plain wrong. This practice is in the Micro$haft
tradition of anti-competitive, monopolistic behavior.

Re:Don't viruses attack system files though? (1)

SEMW (967629) | more than 7 years ago | (#19795293)

One of the biggest bugs in Winjdows has always been that it has allowed installers etc... to [...] overwrite files in the system folders. This was a HUGE mistake, that should have been correected long ago!
That WAS corrected long ago. Specifically, Windows 2000 and newer. See http://en.wikipedia.org/wiki/Windows_File_Protecti on [wikipedia.org] .

Despite recent articals to the contrary, Vista is NOT secure at all for the average user, because the security "features"are so annoying that the average user turns them off after a very short time.
Could you provide a source for that? Certainly, my experience has been the exact opposite ("the average user" doesn't do many administrative tasks and so practically never sees a UAC prompt, excapt when installing new programs, which isn't often). Of course, I'm willing to be proved wrong if you have any data which suggests that most average users do turn UAC off; but I rather suspect that you don't.

As to the common practice of an anti-virus program identifying the files of a competing product (that are not viruses nor infected with a virus) as viruses or infected is just plain wrong. This practice is in the Micro$haft tradition of anti-competitive, monopolistic behavior.
Well, that would have been a relevent comment -- if the company in question who's antivirus product is under question was Microsoft. It isn't. Microsoft do make an antivirus product, but AFAIK it has never been accused of this kind of behaviour. Even with TFA, I'd bet on the problem being incompetence rather than malice any day.

Re:Don't viruses attack system files though? (0)

Anonymous Coward | more than 7 years ago | (#19792277)

I have fought viruses and other malware for a very long time, and I would have to disagree with you to a certain extent.

Damage done by malware is already done, that can't be fixed by antivirus software. Nor can the fire department un-burn your house after the fact. Same thing. You do have backups of important files, right...

If you have the proper tools, it's easy once the devs have defs/repairs for it. (Those come out incredibly fast. Of course, 3 hours before you even heard of it, isn't fast enough for lots of people.) It's true you may have to do something you don't want to, like shut down your server, but so what. If the doctor is going to surgically remove that cancer, he's going to have to cut a hole in you, deal with it.

If you don't have the tools necessary, you're screwed. That's not the fault of the antivirus company, now is it. They told you to make a clean boot disk. And the travel advisory committee tells you to get a malaria inoculation if going to a malaria zone, but they don't sit at the airport with a hypo waiting for you...

The media calls just about everything undesirable on the computer a virus, even though there have been almost no new computer viruses since about two years after "I love you" plastered the world. (It was a worm, not a virus. There are many types of malware: worms, viruses, trojans, droppers, spyware, adware, etc... There are even hybrids, but they are all defined differently, and viruses have a very specific definition.)

Besides, this article was about legal action against false positives. It's something that's going to happen, until machines are a lot smarter than people. (Even then...) It's possible they are trying to lay the ground for paranoids and lawyers for cases where the false positives are intentional for some bloody reason. (Kinda like a form of sabotage.)

system files? (0, Offtopic)

mastermemorex (1119537) | more than 7 years ago | (#19788861)

With system files, do you mean Windows Vista system files?

If I were an Anti-Virus vendor, I would... (0)

Anonymous Coward | more than 7 years ago | (#19788961)

If I were an AV vendor, I'd probably tag every file with ".DLL" as a file extension as a potentially harmful file

TDz.

Why only Kaspersky? (1)

TheSHAD0W (258774) | more than 7 years ago | (#19788967)

Why is it that only Kaspersky Antivirus is picking up on Rising Tech's files? What are the other antivirus vendors doing (or not doing) that is avoiding this problem?

Re:Why only Kaspersky? (4, Interesting)

harlows_monkeys (106428) | more than 7 years ago | (#19789529)

What are the other antivirus vendors doing (or not doing) that is avoiding this problem?

At the AV vendor I've worked for, when they get a report from another AV vendor of a false positive on that other vendor's product, they would investigate and get an update out within 24 hours to fix it.

Unfortunately, some vendors are not this fast. I've seen Spybot take years to fix false positives that have been brought to their attention.

Most are somewhere between these two. Generally, it goes like this. Company A notices that company B's product has a false positive on A's files. A contacts B about this, using B's public contact information, which generally is meant for the general public. So, A's complaint might end up in the support system, and might get kicked around there for a while as the support people try to figure out what to do with it. Eventually, it reaches some manager who has got a bunch of stuff on his plate, directly from his superiors, so he doesn't give this high priority.

A notices it is taking a long time, so looks for a better way to contact B. If A and B are reasonably big and in the same country or region, it will probably turn out someone high in A's management knows someone high in B's management, or knows someone who knows someone high in B's management who can introduce them, and then there is a high level request from A to B. That has a decent chance of getting results.

If no such contact can be found, or it fails to get action, then A calls the lawyers, and they write a letter to B's lawyers. That should get some attention at B, and whatever manager the first request got stuck at gets prompted to do something.

If nothing happens then, it is lawsuit time. When a lawsuit is actually filed, THAT gets the attention of B, all the way up to the top, and then things happen. (And the people who failed to act earlier get in a lot of trouble...companies do not like it when they get sued, even if the actual purpose of the suit is just to get someone's attention to fix a problem).

I suspect that a good percentage of lawsuits filed in the software industry (in general, not just AV) are to get the attention of upper management in the defendant to get some simple problem resolved that has fallen through the cracks.

A lesson here for anyone starting a company is to hire some top management people who are well-connected. If your Director of Engineering or CTO or Chief Scientist or whatever, in a situation like this, can say, "Hey...B's CTO went to my school and we were in the same fraternity...I can get his number, call, give the secret Alpha Delta Smegma pass phrase, and I'm sure he'll get the problem taken care of", that's great. The tech industry, just like the other industry groups, has its old boy's network, and you want to have someone who is connected to that.

Re:Why only Kaspersky? (1)

Opportunist (166417) | more than 7 years ago | (#19789681)

I doubt Kaspersky is slow to pick up, they're pretty swift when it comes to reaction. Now, if you said MS still found a file wrongly days after notification, I'd sign that without asking, but Kaspersky has a record of reacting within minutes sometimes.

Still, Kaspersky has been losing ground in the last, say, 2 years. 2 years ago, they were the pinnacle of AV technology. They ain't anymore. I wonder why, but they sure as hell were losing ground.

Re:Why only Kaspersky? (1)

wfberg (24378) | more than 7 years ago | (#19789787)

A lesson here for anyone starting a company is to hire some top management people who are well-connected. If your Director of Engineering or CTO or Chief Scientist or whatever, in a situation like this, can say, "Hey...B's CTO went to my school and we were in the same fraternity...I can get his number, call, give the secret Alpha Delta Smegma pass phrase, and I'm sure he'll get the problem taken care of", that's great. The tech industry, just like the other industry groups, has its old boy's network, and you want to have someone who is connected to that.

In ye olden days, all the AV people hung out on virus-L/comp.virus. I guess now they hang out together in not-so-public places, but you can still find places like virus bulletin which posts virus analyses etc. I find it hard to believe vendor Foo's developers have any problem at all reaching vendor Bar's developers.

Re:Why only Kaspersky? (0)

Anonymous Coward | more than 7 years ago | (#19790917)

Part of the problem with contacting customer services is that they're mainly for the company's customers. Not 3rd party vendors. Customer support has no obligation to help outside 3rd party vendors, unless escalated by the customer themselves. Primarily I'm talking at the Enterprise level, and not piddly crap like home users. When both company's software has a lot to do with each other, then it becomes imperative that you contact proper channels like Customer Sales / Sales Consultants because that's who it really affects. I'm laughing really hard about that whole bit with frat brothers.

What unfortunately occurs is a outside sales person /tech calls a company and starts yelling at the customer service rep, who has to tell them that they can't help them because they're not a customer.
I know, because I'm the one who gets yelled at. I just brush them aside and let them do whatever.
They will go back to their customer base, complain about us, and that in itself is idiotic from both ends.
Our customers sign the contract, knowing that any problems are supposed to go through them to us, not a 3rd party vendor.

I've been on the receiving end of these things and I have to tell you, when you're a 3rd party vendor or outside company (not necessarily a competitor), we have to

1.) protect our customer base (confidentiality is also a problem too. I've had customers get real pissy about having ANY vendors contact them, which we tell them we don't give out our customer base)

2.) proprietary information. believe it or not, not everything is open sourced.

You could use lawyers, but that just generates bad blood and really has nothing to do with the problem at hand.

Now in terms of this whole AV problem, it's been blown way out of proportion.

All this could've been resolved by issuing a public apology to Rising Star rather than denying responsibility.
I've noticed, especially in Thailand (I'm Chinese American, btw), that people will be nice and pretend nothing is wrong while they are still pissed off as hell at you but can't tell you because you don't understand Thai and they have to speak to you in another language.

Re:Why only Kaspersky? (1)

ben there... (946946) | more than 7 years ago | (#19791635)

The tech industry, just like the other industry groups, has its old boy's network, and you want to have someone who is connected to that.

Or...you know...you could just have a separate support number/email and bug tracker for handling false positives, which are bound to come up frequently enough to require it. Then assign an employee part-time to resolve them appropriately.

Re:Why only Kaspersky? (4, Insightful)

thegnu (557446) | more than 7 years ago | (#19792327)

I've seen Spybot take years to fix false positives that have been brought to their attention.
By "Spybot," do you mean "Patrick Kolla?" I know now he's got help, but how many years ago did these "years" occur?

Plus, it's still part of THE best passive/manual protection you can get:

1. Spybot w. Hosts list & immunize
2. Spywareblaster
3. IESPYADS
4. Firefox
5. WRT54G
6. Merijn's BugOff

I know a router probably isn't really passive, but to the PC it is. Oh, and besides the router, this is all free. My 2 cents.

Re:Why only Kaspersky? (1)

harlows_monkeys (106428) | more than 7 years ago | (#19793777)

By "Spybot," do you mean "Patrick Kolla?" I know now he's got help, but how many years ago did these "years" occur?

Some started as far back as 2002, and are still there in the current version.

If Spybot were a brand new program, from someone unknown, it would probably make the rogue list for too many false positives. But because it was one of the first, and was very good back in the old days when the spyware problem was much smaller, it gets grandfathered in, and people overlook a lot in it that they would not overlook in a modern program.

This is more of a Chinese/Russia showdown (1)

MadRat (774297) | more than 7 years ago | (#19788981)

Nothing to see, just a continuation of the 60's.

It Could Be Rising Tech Really Is Malicious (5, Informative)

NeverVotedBush (1041088) | more than 7 years ago | (#19788987)

China and Russia both are big time into state-sponsored computer/network infiltration. In a country like China, it wouldn't be surprising at all that the government would co-opt companies - especially anti-virus companies - to make them help the Chinese government open back doors, exfiltrate data, etc.

The very last piece of software I would ever install on my own computers would be a Chinese or Russian anti-virus package. Sure, it may finger other viruses, but it might also allow free access to the "right" people.

I know this sounds somewhat like tinfoil hat territory, but the SANS organization is frequently publishing articles about state-sponsored hacking/attacks. Why give them an easy pass? A perfect easy pass to use your system in electronic warfare against any country - especially the USA? It is at least something to be aware of and to consider.

Rising Star antivirus? Who's star is rising? China's? And by what means?

Re:It Could Be Rising Tech Really Is Malicious (5, Insightful)

El_Muerte_TDS (592157) | more than 7 years ago | (#19789095)

And on the other side of the pond you've got companies that are for sale. For all you know Symantec allows certain backdoor software distributed by the MPAA/RIAA.

How much can you trust companies like that?

Re:It Could Be Rising Tech Really Is Malicious (2, Informative)

l0ne (915881) | more than 7 years ago | (#19789127)

ClamAV is really the way to go. Fully open. Fully accountable for. And if a definition is malicious, you can alter or remove it with relative ease.

Re:It Could Be Rising Tech Really Is Malicious (1)

Opportunist (166417) | more than 7 years ago | (#19789711)

ClamAV has only one problem: It's not in the loop.

Clam has a hard time getting updates in time. I'm not familiar with the detection utilities the ClamAV team uses, but they are notoriously slow. A virus has to be around for a while 'til Clam starts picking up on it.

For a sensible detection, you have to be fast. Preferably, you have to detect the attacker before it comes to your computer, because with the advent of rootkit kits (erh... however you wanna call them), it became trivial to craft rootkits. And rootkits have to be detected before they infect you.

You can't detect them anymore once they're in the system. You're late, you lost.

Re:It Could Be Rising Tech Really Is Malicious (1)

Thing 1 (178996) | more than 7 years ago | (#19790999)

While you're right about ClamAV not having real-time virus detection and can only detect an infection after it has files on your machine, it's not true that it gets updates slower. I remember reading a couple years ago that, out of the most recent 50 viruses found, ClamAV was the first to have the signature for it, 80% of the time. That's pretty good for something that's free.

A rootkit though, once it's on it's tough to detect; ClamAV will need to develop real-time scanning, drivers that load before all others after installation (which means installation will require a reboot), or both, in order to be a complete system.

Ok, I found that reference: [informationweek.com] , published almost exactly 2 years ago:

As it turned out, ClamAV doesn't swim -- it flies. In Hyde's own tests, using two of the world's five top commercial AV products and 50 new virus variants, Clam AV was the first product to release a virus signature for new threats nearly 80 percent of the time.

Re:It Could Be Rising Tech Really Is Malicious (1)

rtb61 (674572) | more than 7 years ago | (#19795503)

Speaking of updates, as distributing a computer virus is a criminal act, should not governments be maintaining virus registers and make the available to the public, so that the public can protect their machines.

Re:It Could Be Rising Tech Really Is Malicious (1)

Virgil Tibbs (999791) | more than 7 years ago | (#19789971)

Which ever the best way to go is
It's not the Windows way...

Re:It Could Be Rising Tech Really Is Malicious (2, Insightful)

Ravon Rodriguez (1074038) | more than 7 years ago | (#19790181)

Like it or not, people have to use Windows. You may get away with open source substitutes for a lot of applications, but the fact is that it's extremely hard (or even impossible in a lot of cases) to run most games using something like Wine or Cedega. Not to mention that even Ubuntu, hailed as the easiest used implementation of Linux to date, is not quite ready for the grandmother test. So, while it may not be ideal to use a Windows system, it's necessary. That being the case, it also becomes important to keep a good virus database to thwart the fucktards who like to make life miserable for the rest of us.

Re:It Could Be Rising Tech Really Is Malicious (1)

antdude (79039) | more than 7 years ago | (#19791749)

Which backdoor software?

Re:It Could Be Rising Tech Really Is Malicious (1)

zlogic (892404) | more than 7 years ago | (#19789421)

The very last piece of software I would ever install on my own computers would be a Chinese or Russian anti-virus package.
Because American anti-viruses like Norton are much better and easier to uninstall ;-)

I've used McAffee, Avast, Norton, Panda and Kaspersky, and Kaspersky, unlike others, had zero false positives and detected ALL viruses. For example, Norton often complained that portscanners and network monitoring tools look suspicious and removed them automatically, and Avast identified my own application (written in C++/MFC) as a virus! Once I received an email with a virus in it and it was included in Avast's signatures two weeks later. Kaspersky had that virus added to its signatures a few hours earlier than I received it. The only thing I hate about KAV is that it consumes A LOT of system resources. Oh, and a full system scan takes a really long time since it checks everything, including HTML files packed in HxS inside an *.iso image packed in *.rar

Re:It Could Be Rising Tech Really Is Malicious (3, Insightful)

NeverVotedBush (1041088) | more than 7 years ago | (#19789597)

I never said the American ones were good. I only said that I wouldn't install the Chinese or Russian ones. The simple reason being that China and Russia both are big into network infiltration and the USA is a prime target. I don't believe in handing over a back door. I have no clue if Kaspersky or Rising Tech are fronting or providing back doors for their respective governments. Maybe they are and maybe they aren't. But there is a very real possibility that they are.

And you say your virus checkers of choice have detected "ALL" viruses? How do you know? Ask anyone who knows anything about AV software and they will tell you that the new ones are frequently missed completely because their behaviors or signatures are unknown. Until your AV company of choice puts in new definitions, you simply do not see them -- even though you may be infected and possibly infecting others. You even cite such an example yourself. If Kaspersky was to decide not to include a signature - say for a Russian government botnet back door - then you don't know it's there.

The fact is (and please go look at SANS or other websites that report such news) that China, Russia, and actually just about every country in the world have discovered that you can use the Internet for lots of military and economic gain. You can pull out sensitive data. You can set up systems so that if you ever need or want to, you can cripple infrastructure. You can wreck economic havoc. The USA especially uses the Internet for lots of things. Imagine the chaos that would come if you could shut it down with a single command. Trust me - they have.

Countries like Russia and China can go lean on companies to put in whatever hooks they want. I'm not saying they are in Kaspersky's software but I would not ever bet against it.

Re:It Could Be Rising Tech Really Is Malicious (1)

Opportunist (166417) | more than 7 years ago | (#19789747)

You may safely assume that KAV has been reversed by now. If it contained rootkits, you would have heard about it.

Re:It Could Be Rising Tech Really Is Malicious (1)

darien (180561) | more than 7 years ago | (#19791469)

There's a new version out next month...

Re:It Could Be Rising Tech Really Is Malicious (1)

zlogic (892404) | more than 7 years ago | (#19789807)

If Kaspersky was to decide not to include a signature - say for a Russian government botnet back door - then you don't know it's there.
I think if a computer got infected it doesn't really matter who wrote the virus. For example, McAffee refused to recognise Netbus as a virus - they said it was a remote administration tool. And remember how Gator/Claria sued everyone who identified their software as spyware. Or something like Sony's rootkit may happen. A company, just like the government, can force (or at least try doing so) an antivirus company to exclude malware from their databases.
And don't forget US companies like Microsoft who can theoretically shut down every Windows PC out there with WGA. I think that crippling Microsoft's servers would be much worse than just shutting down PCs running Windows AND Kaspersky.

Re:It Could Be Rising Tech Really Is Malicious (0)

Anonymous Coward | more than 7 years ago | (#19793609)

If anyone believes they have detected EVERY virus or spyware then they have no real clue as to the state of industry. Commercial scanners find 40% at best. Look up some security conference briefings to see examples of how scary it is out there. Every time I come back from a conference I want to shut off all my systems. Mind you, the presenters that scare me the most are NOT the vendor presentations, it the real world example type presentations.

Alternatively... (0)

Anonymous Coward | more than 7 years ago | (#19789549)

The easiest explanation, though, is that the scanner data contains pieces of the viruses it detects and they don't do enough to hide them from other scanners.

Re:It Could Be Rising Tech Really Is Malicious (1)

Frankie70 (803801) | more than 7 years ago | (#19789573)


The very last piece of software I would ever install on my own computers would be a Chinese or Russian anti-virus package. Sure, it may finger other viruses, but it might also allow free access to the "right" people.


Wow, the Chinese & Russian Govt are interested in accessing your
computer. It's great to have such people posting on Slashdot.
This is even better than Wil Wheaton posting here.

Re:It Could Be Rising Tech Really Is Malicious (1)

NeverVotedBush (1041088) | more than 7 years ago | (#19789653)

I seriously doubt they are interested in my specific computer to exfiltrate data from. However, there are lots of computers owned/operated by lots of key people at key companies or in government, that they probably would like to inspect. Why bother sending an agent when you can do it from halfway around the globe?

You seem to forget the recent flap about how Estonia thinks that the crippling cyber attacks they have been having were or Russian origin? While nobody may be interested in the information on my computer, another bot with a high-speed net connection is just another bot capable of being used in whatever cyber attack du jour a country wishes to do. Bots are valuable to regular botnet operators. What makes you think they wouldn't be valuable to governments who want to shut down some other country?

And what better way to gain access than by being a part of what is apparently considered to be "good" AV software?

Re:It Could Be Rising Tech Really Is Malicious (1)

Frankie70 (803801) | more than 7 years ago | (#19789745)

I guess people outside the US should stop using all US software.
Any piece of software can be used to own a machine to be part of
Bush's world conquering plans.

The who or the Russians? (1)

HiggsBison (678319) | more than 7 years ago | (#19794677)

You seem to forget the recent flap about how Estonia thinks that the crippling cyber attacks they have been having were or Russian origin?

Great! They have /. filtering out all references to the "". Damn, they're good!

Re:It Could Be Rising Tech Really Is Malicious (1)

theshowmecanuck (703852) | more than 7 years ago | (#19790433)

and the U.S. government isn't interested in hacking into people's computers? give me a break. isn't that what that who at&t privacy case was about?

Re:It Could Be Rising Tech Really Is Malicious (1)

Zantetsuken (935350) | more than 7 years ago | (#19790827)

Much more likely is that this "Rising Tech" AV is a pseudo-av running an extortion scam and is in fact spyware or other malware. While Symantec and a few others are all too well known for false positives ("Windows kernel is a virus! Delete?") there are a higher percentage where you'll have your homepage hijacked or NetBus type symptoms - background suddenly changed to a malware web-page, infinite Windows Services notification or system tray notifications that "Buy our software and your problems will go away!".

IMHO, I'd take that higher percentage of pseudo-av/extortionist and apply it to "Rising Tech". Even better is to not trust either and go with an AV like Avast! Home (free) or AVG Free. If you don't have any reason to be stuck to Windows, don't - go Linux or *nix OS-X for binary incompatibility and security through obscurity (which isn't a good thing to rely on, but it does for the most part work for now).

might as well be selling rocks .. (4, Funny)

rs232 (849320) | more than 7 years ago | (#19789021)

For all the good the AV industry does, they might as well be selling rocks.

Re:might as well be selling rocks .. (1)

Opportunist (166417) | more than 7 years ago | (#19789773)

And? Been attacked by a tiger lately?

Seriously. AV tools have their place. They cannot be a replacement for good ol' common sense, but with the advent of MPack [pandasoftware.com] and similar infection tools, they're pretty much the only line of defense you have.

Getting infected is not only for the dumb and lazy anymore.

Re:might as well be selling rocks .. (1)

EsbenMoseHansen (731150) | more than 7 years ago | (#19790149)

Getting infected is not only for the dumb and lazy anymore.

Heh. One of the nice things about not running windows... no virus. So in that sense it is for the lazy, i.e. the ones that doesn't install something easier to use. Might I suggest Ubuntu?

As a bonus, you'll get more time for your wife/reading slashdot/posting blogs, since you won't be wasting your time with so much gaming anymore ;)

Re:might as well be selling rocks .. (1)

zippthorne (748122) | more than 7 years ago | (#19790333)

One of the nice things about not running windows... no virus.


how do you know?

Re:might as well be selling rocks .. (1)

EsbenMoseHansen (731150) | more than 7 years ago | (#19790913)

One of the nice things about not running windows... no virus.


how do you know?
In the same way that I know there is no amadillos in my garden. That is, I have not heard of any, nor encountered anything remotely like a virus in linux. I have heard of worms from the ancient days, and that's pretty much it. Of course, it is not real proof, but there is precious litle that we can definitely prove.

Furthermore, software gets installed via. signed packages from repositories, or compiled by myself in the case I am working on it. That leaves spreading-by-application-bugs, and as nearly all my software is opensource and pretty much up to date, I think the chance of infection low, even if any virus are available.

As a practical matter, virus is a non-issue on linux, and so I hear it is on BSD or even open solaris.

Re:might as well be selling rocks .. (1)

zippthorne (748122) | more than 7 years ago | (#19791003)

Yet, there are anti-virus programs for Linux. So, at least some are known to exist, however weak they may be. But without checking, you don't even know you don't have those.

Now, Granted, I'm typing this from my Ubuntu partition, which I do not virus check, and I also have faith that it has picked up as many viruses as my XP partition (which I do virus check) has over the time I've had each: 0. (XP: 4 years vs. Feisty: 3 months since complete install)

On the other hand, I do have multiverse in my repositories list, so I may not be as safe as I think...

Re:might as well be selling rocks .. (1)

EsbenMoseHansen (731150) | more than 7 years ago | (#19791839)

Yet, there are anti-virus programs for Linux. So, at least some are known to exist, however weak they may be. But without checking, you don't even know you don't have those.

You are thinking of clam-AV? All or almost of the virus signatures are window viruses. The one I have installed occasionally finds a (windows)-virus in my email. So actually, I do check my mail at least for virus, and there has yet to be an incident. So there :p

Now, Granted, I'm typing this from my Ubuntu partition, which I do not virus check, and I also have faith that it has picked up as many viruses as my XP partition (which I do virus check) has over the time I've had each: 0. (XP: 4 years vs. Feisty: 3 months since complete install)
To the best of my knowlegde, I had not had a virus since I bought my first computer in the early 90ties, and I have run a number of opperating system... the DOS family up to windows me, the win Nt familiy (2000 only), OS/2, and in the last few years linux in various flavours. But the point is, excepting my brief time with OS/2, I have had to worry about viruses in all that time until I finally had enough and went over to linux. So it's more the bother of protecting myself than the actual virus :)

On the other hand, I do have multiverse in my repositories list, so I may not be as safe as I think...
Mulitverse should be safe enough. The packages are signed and essentially taken from Debian. So we will know who screwed up. Of course, malware might slip through, but you can be sure you will hear of it shortly.

P.S: I wonder how you became a foe of a friend. You seem likeable enough. Oh well :)

Re:might as well be selling rocks .. (1)

Opportunist (166417) | more than 7 years ago | (#19790691)

As a bonus, you'll get more time for your wife/reading slashdot/posting blogs, since you won't be wasting your time with so much gaming anymore ;)

Or so I thought. Alas, someone came along and decided it would be fun to develop WINE...

Re:might as well be selling rocks .. (1)

EsbenMoseHansen (731150) | more than 7 years ago | (#19790849)

As a bonus, you'll get more time for your wife/reading slashdot/posting blogs, since you won't be wasting your time with so much gaming anymore ;)

Or so I thought. Alas, someone came along and decided it would be fun to develop WINE...

Ah, but no problem! Just go for 64bit linux, and you are safe once again! :o) (Technically you could install wine in 32bit version, but it's not easy yet. Gutsy might change that, though)

Re:might as well be selling rocks .. (2, Interesting)

ploxiln (1114367) | more than 7 years ago | (#19790731)

I'd have to disagree. Getting infected is still for the "dumb and lazy", only the threshold is now a lot closer to the "smart and proactive" side of the meter than it used to be. Antivirus software is a losing proposition: It's not useful unless it's _ahead_ of the virus writers, it increasingly suffers from false positives, and if it identifies crap from a wealthy company it can be forced to ignore it. Even without considering the fact that all most successful antivirus packages on the market are crap (for reasons outlined in this excellent essay by Bruce Schneier), antivirus software isn't a good enough solution. The best solution is to run a system which doesn't respond to data received over the network in a way which the operator wouldn't want. This is simply too inconvenient for the vast majority of people (especially those people who couldn't begin to understand what they want their computer to do in any detail). This is however quite possible to achieve even today, for example by running a linux/unix system with all network listening services turned off (except sshd with a decent policy and passwords), running firefox with the noscript extension (or even better, a text-mode browser such as elinks). I've actually managed to do without antivirus software on my windows machines for years, by simply keeping up with the latest updates, turning off most services, running firefox, and knowing what software is safe to download and run (open-source windows software primarily). My point is that the solution to the security problem is to stop messing around with crappy reactionary solutions like antivirus software, and instead focus on programming and using systems which were designed to be secure from the beginning (like OpenBSD), and don't do stupid things you wouldn't want them to. This would however require users to be trained to use computers properly if they can't figure it out themselves, not unlike how users of cars must be trained in order to keep them safe on roads, and can have their licenses revoked when they demonstrate lack of ability or care. Making software which is both secure and reasonably convenient to use is a hard problem, but it's one which should be pursued.

Kaspersky aren't the only ones (5, Interesting)

Anonymous Coward | more than 7 years ago | (#19789193)

I work as a virus analyst for one of the major antivirus vendors. False positives, which we simply refer to as FP's, are a nasty fact of life, especially as detection becomes more based upon bahavioural analysis; and when software developers name their new application explorer.exe with a default Windows icon....

We had a customer send in a Window Portable Executable file which was flagged as containing a virus released in the early 90's (though the exact name escapes me). Very strange. What was stranger was that when analysed, it contained a plethora of code sequences of worms, trojans and viruses, completely ad verbatim. We then realised we were in fact looking at one of the main dll's of the Rising Sun engine! A false positive fix was not issued, as we reasoned that if a buffer overflow/wrongful jump occured, this malicious code could actually execute. Ie, a user could actually be infected by the cowboy AV scanning method.

Anyway, to this story I laugh and simple say to Rising Sun: learn to code an engine before bringing in lawyers. Oh, and flat file unoptimised code matching is hilariously primitive.

PS, unfortunately, there is no conspiracy this time: just badly thought out design and implementation.

Re:Kaspersky aren't the only ones (1)

Opportunist (166417) | more than 7 years ago | (#19789819)

China is learning fast. Why should you hire good programmers and deliver a good program if you can just hire good lawyers and sue everyone who shows that your program is crap?

Worked in other areas like a dream, so...

Re:Kaspersky aren't the only ones (0)

Anonymous Coward | more than 7 years ago | (#19794115)

Releasing a "fix" for this would mean patching YOUR software, not the other AV's dll. Thus your argument that doing this could cause their virus signatures to become executable makes no sense. You don't fix false positives by f*cking with the harmless file. Or do you? That says something about your coding skills/philosophy. Another giveaway is the fact that you can't seem to get the name of the software right. The company is Rising Tech. The product is Rising Antivirus.

"Rising Sun" appears nowhere in the article, and is in fact a reference to Japanese. Please give us the name of the product you worked on so we can avoid it all costs, as apparently you can't be bothered to read or understand the things you write about.

What kind of idiot...... (1)

Shack24 (1029318) | more than 7 years ago | (#19789215)

.....would be running two AV programs at the same time anyway ?!?!

Re:What kind of idiot...... (1)

Idbar (1034346) | more than 7 years ago | (#19789301)

Your original McAfee and the trial period of Norton that never vanished? I know several people that install the corporative AV on their new computers without noticing they have another trial version that came with it. It certainly brings the computer performance down.

Re:What kind of idiot...... (1)

stonecypher (118140) | more than 7 years ago | (#19789623)

It's likely that one was incompletely uninstalled, then the other installed to replace it.

Re:What kind of idiot...... (1)

flyingfsck (986395) | more than 7 years ago | (#19790635)

All the home user 'experts' I know simply install yeat another anti-virus fix off the internet when the first thing doesn't work. It is a lot of fun fixing a machine that is messed up like that.

Re:What kind of idiot...... (0)

Anonymous Coward | more than 7 years ago | (#19790677)

> .....would be running two AV programs at the same time anyway ?!?!

Windows 2003 Server DOES support running two different antivirus software from two different vendors side-by-side, unlike earlier Windows editions.

Some security vendors, like the finnish F-Secure Corp. have multiple scanning engines integrated in their anti-virus product.

Re:What kind of idiot...... (1)

rob1980 (941751) | more than 7 years ago | (#19791225)

Clearly you've never had to fix computers for a living.

Re:What kind of idiot...... (1)

Scoldog (875927) | more than 7 years ago | (#19795179)

The kinds of idiots I used to deal with at a large retail store in Aus

Idiot comes in with a laptop saying it runs very slow, and he knows why. I'm all ears. He turns it on, waits 10 minutes for it to get to a usable state on the Windows XP desktop, types in MSCONFIG in run, and says "Look. It runs slow because half the drivers aren't Microsoft certified! I want this fixed!"

I don't even bother to try to explain to him that saying a driver is bad because it is not Micrsoft certified is saying a chef is no good because he is not McDonalds certified. I calmly look at the laptop myself.

Turns out this fool was running Windows XP Pro with only 256MB RAM, with 64MB of that shared for the video card, and two antivirus packages running scans at startup. I asked him why he did that, and he said "So the second virus scanner can pick up the viruses that the first one missed".

Being a long time believer in the old saying "A fool and his money are soon parted" I didn't argue against this, and told him he needed more ram. He didn't believe me, so I ended up grabbing another 512MB stick out of stock, put it in the laptop and fired it up to show him how much faster it could run. He was happy.

Thank goodness I gave up that job.

I spoke to the guy that took that job after me, he said he once had to call security on a guy that flung a laptop at him, almost hitting him in the head!

Happened to me too (4, Insightful)

Spacejock (727523) | more than 7 years ago | (#19789229)

I have a website with a bunch of my own freeware apps available. On two separate occasions I've had a number of emails from users of major AV software asking me what the hell I was playing at trying to install trojans on their PCs. In both cases it was false positives, one from NAV and the other from the company mentioned in this article (which is what prompted me to post). Each time they eventually got around to correcting their definitions, but sure as anything it'll happen again. And in the meantime, how many dozens or hundreds of people assumed I was one of them there nasty spammer trojan virus people trying to infect their PC?

Why should the onus be on ME to check THEY haven't stuffed up? You can't install and run all the different brands of AV software on one PC, unless you install a bunch of virtual machines with one AV prog on each, and then you'd have to update the definitions daily.

Re:Happened to me too (1)

NeverVotedBush (1041088) | more than 7 years ago | (#19789699)

Google recently published a study that approximately 10% of web sites have been hacked and actually do contain malicious code.

Do you run programs like tripwire from a secure, off-net host, that monitor your website box to make sure that it has not been compromised and actually does have malicious code?

Re:Happened to me too (0)

Anonymous Coward | more than 7 years ago | (#19790729)

What do you think? It's some pimple faced teenager masturbating in his basement with a server on DSL.

Re:Happened to me too (0)

Anonymous Coward | more than 7 years ago | (#19790949)

Why should the onus be on ME to check THEY haven't stuffed up? You can't install and run all the different brands of AV software on one PC, unless you install a bunch of virtual machines with one AV prog on each, and then you'd have to update the definitions daily.

Try Virustotal [virustotal.com] for a service that does this for you.

Re:Happened to me too (0)

Anonymous Coward | more than 7 years ago | (#19793807)

You might want to try virustotal.com. It will run most popular AV engines over your submitted file and spit out the results.

Fair enough developers shouldn't have to do this but its a useful tool if you do get reports of a FP and want to find the culprits.

False positives trick users. MS is adversarial. (5, Interesting)

Futurepower(R) (558542) | more than 7 years ago | (#19789271)

Apparently ALL anti-virus software gives false positives. Most of the users have little technical knowledge, and the software makers want to give the impression their software is more useful than it really is. I've seen numerous false positives on systems I use. One "virus" was a text file, with a .TXT extension, and nothing in it but documentation!

But why is anti-virus software so important? Apparently only because Microsoft profits more when its software is full of bugs and malware, and Microsoft is very adversarial toward its customers.

The true cost of a Microsoft operating system is perhaps 10 times its retail cost, because of the heavy maintenance expenses.

Microsoft's anti-customer behavior: Here are some paragraphs I wrote to someone having problems with temp files taking gigabytes of drive space.

On one computer I checked, temp files were stored in 49 different places, and that includes only temp file folders made by the Windows operating system and not temp file folders made by application software.

Why doesn't Microsoft provide a utility to find all the temporary file folders and delete the files when starting or shutting down the computer? Apparently because the company is heavily engaged in adversarial behavior. Most people don't know that temporary files are a problem, and they certainly don't know where to find them; that was a challenge even for me. The temp files sometimes take so much space that there is not enough free space, and the file system begins running much slower.

The file defragmentation program won't run when there is limited free space. A fragmented file system is much slower. And most people don't even know that the defragmentation program exists, or why they should run it. So, their computers become imperceptibly slower and slower until they buy a new computer.

That's apparently why Microsoft software has so much malware, also. At present, there are 30 known vulnerabilities in Windows XP [secunia.com] alone that haven't been fixed. There are 7 known vulnerabilities [secunia.com] in the latest version of Microsoft Internet Explorer browser the the company has not fixed.

Some people say Microsoft software is targeted more often because there are so many copies in use. However, it is well known how to write secure software. Apparently Microsoft managers don't let their programmers finish their work.

Many people who don't know how to keep Microsoft products running buy new computers. Every time someone buys a new PC, they buy a new copy of the Microsoft operating system, even if they already owned a copy. So Microsoft makes more money if the company has defective products.

Microsoft gives each new version of Windows a new name, and many people think the new version is a new product. Somehow it has been arranged that people pay the full amount for new versions, instead of an upgrade price.

The New York Times article Corrupted PC's Find New Home [nytimes.com] also makes that point.

Note that the Apple operating system, OS X [apple.com] , and the Open BSD [openbsd.org] operating system have very few vulnerabilities. (The Open BSD web site says 2 in 10 years.) So it is possible to make a secure operating system. The volunteers that make the Open BSD system do security reviews of software to make sure vulnerabilities are not released to customers.

We use Microsoft operating systems because of historical reasons, and because it is expensive to change. In actuality, the business very seldom uses software that runs only under Microsoft Windows, and that is only in specific departments, where it would be easy to provide a second computer.

Re:False positives trick users. MS is adversarial. (2, Insightful)

aerthling (796790) | more than 7 years ago | (#19789435)

The Open BSD web site says 2 in 10 years.


It actually says 2 remote holes in the base installation in more than 10 years. If you want a full list of all the vulnerabilities in OpenBSD ever, you can count them all here: http://openbsd.org/errata41.html [openbsd.org]

Have fun.

Remote holes are what count for novice home users. (1)

Futurepower(R) (558542) | more than 7 years ago | (#19790747)

How many "remote holes" have been found in the base install of Windows? Hundreds? Remote holes in the base install are what count for novice Windows users, who are mostly at home, with no network, and use their computers only for email, web surfing, and typing a few letters, and signs like "wet paint".

I don't understand your objection, if you are objecting.

Re:False positives trick users. MS is adversarial. (1, Insightful)

Anonymous Coward | more than 7 years ago | (#19789537)

Good FUD there.

On one computer I checked, temp files were stored in 49 different places, and that includes only temp file folders made by the Windows operating system and not temp file folders made by application software.
List the folders. All of them. Otherwise, I honestly refuse to believe that. Also, temp files are listed under Disk Cleanup. If you run that (and it will suggest you do if you start running out of space), then it will remove them.

The number of temp files or folders is nothing to do with security.

Only one of the vulnerabilities you listed is critical and requires that someone open a malicious .mdb file specifically in Access 2003. Most of the others require either physical access to the machine or access to a LAN connected to the machine, hence they haven't been treated with priority.

Saying "it is well known how to write secure software" is disingenuous bullshit, and shows a complete lack of knowledge on coding anything more than a 'Hello World' app. So is saying "Somehow it has been arranged that people pay the full amount for new versions, instead of an upgrade price." when upgrade versions are labelled clearly and with lower prices.

You are 100% full of crap and if your Slashdot account wasn't just a shill to get people looking at your shitty tech website I would probably care more.

It really *is* known how to write secure software. (2, Interesting)

argent (18001) | more than 7 years ago | (#19789979)

Secure software doesn't mean "software that has no security holes". It means "software that is designed so that failure doesn't create security holes". Secure software is, by default, inherently safe. Secure software provides feedback on errors. Secure software can not be unlocked except from the "outside". Secure software provides interfaces and protocols with no paths leading to elevated privileges. Secure software provides fault isolation and user-visible and managable layering.

Secure software may have bugs that lead to exploitable vulnerabilities, but fixing these bugs will not break third-party components that depend on public interfaces and protocols exposed by the software, because the privileges exposed by the vulnerability are never intended to be exposed.

For example, if an interface in a secure application provides an object (file, script, applet, web page, ...) more privileges than the application itself normally provides, then:

(1) That interface is disabled by default. Ideally, there is no code path in the application that leads to that interface.
(2) Enabling that interface requires a deliberate premeditated action by the user or administrator. Ideally, this action involves a plug-in or other component in a distinct repository from the one that the application normally uses, and running a new instance of the application (or a new shell around the application) that has access to that repository.
(3) Enabling that interface in one instance of the application does not enable it in any other instance.
(4) An instance of the application with that interface enabled can not be accessed by any request to an instance of the application with that interface disabled.
(5) The mechanism by which a user launches the modified instance of the application is clearly distinct.
(6) The modified instance of the application does not include a mechanism to load new objects through protocols that are normally used to access untrusted data, except using addresses (URIs, file paths, etcetera) that are provided by the application itself, or by launching a new instance of itself without any unsafe interfaces enabled.

The poster child for applications that violate these rules is Internet Explorer. In Internet Explorer, it is possible for a webpage to request an applet it provides be installed and run, through a mechanism called "ActiveX".

(1) It is enabled by default.
(2) It is not possible to launch IE in a way that prevents access to ActiveX plugins already installed.
(3) There is only one pool of plugins for IE. Worse, there is one pool of plugins shared among all applications that use the HTML control.
(4) You can't disable it, all you can do is tell IE to avoid "unsafe" controls, and even then the default behavior for "unsafe" controls is risky.
(5) There's no distinct instance of IE... rather there's a set of heuristics for the HTML control to use to try and guess whether the document being viewed should be considered "safe" or not.
(6) The HTML control makes the decision as to whether to load an object, not the application.

Most browsers have *some* shortcomings in this area, but few to anywhere near the extent of IE, and none are designed so that fixing these shortcomings will break working applications until they are redesigned to access the browser through a new API.

Re:It really *is* known how to write secure softwa (1)

dabraun (626287) | more than 7 years ago | (#19791697)

The poster child for applications that violate these rules is Internet Explorer. In Internet Explorer, it is possible for a webpage to request an applet it provides be installed and run, through a mechanism called "ActiveX".

(1) It is enabled by default.

By default it will ask users if they want to install controls after first showing them the signature information.

(2) It is not possible to launch IE in a way that prevents access to ActiveX plugins already installed.

Completely false - it is trivial to disable activex controls and it can be done without launching the browser (right click on IE in your start menu, chose internet properties.)

(3) There is only one pool of plugins for IE. Worse, there is one pool of plugins shared among all applications that use the HTML control.

This is true; this is being worked on.

(4) You can't disable it, all you can do is tell IE to avoid "unsafe" controls, and even then the default behavior for "unsafe" controls is risky.

As per above, you certainly can disable it and it's quite easy to do so.

(5) There's no distinct instance of IE... rather there's a set of heuristics for the HTML control to use to try and guess whether the document being viewed should be considered "safe" or not.

I'm not sure I understand your sentences here, but IE does run 'distinct instances' and unless the site in question is on the safe list (user specified sites ONLY) it runs IE instances in protected mode, highly isolated from even the current user account's data, never mind the admin data.

(6) The HTML control makes the decision as to whether to load an object, not the application.

Actually, the user makes the decision and the app hosting IE can not override this - the user will always be prompted - some would call this a security feature.

Your answers presume technical knowledge. (1)

Futurepower(R) (558542) | more than 7 years ago | (#19791913)

You said:

"By default it will ask users if they want to install controls after first showing them the signature information."

"... it is trivial to disable activex controls and it can be done without launching the browser (right click on IE in your start menu, chose internet properties.)"

"As per above, you certainly can disable it and it's quite easy to do so."

It seems to me that your statements presume a high amount of technical knowledge. In decades, I have never known even one user to have much technical knowledge. They just want to use computers as a tool, not make computers a time-consuming profession.

Every home user I have known will "install controls". What would they do, call for technical help? Most users of computers don't have anyone to give them technical help. The best they have is people like the Geek Squad at Best Buy, an option that 1) is very expensive, 2) depends on people who probably do not know the answer, 3) takes a lot of time, and 4) does not allow asking single questions.

The underlying point is that the "default install" of Microsoft operating systems is insecure beyond the ability of most users to correct, and that Microsoft profits by providing an operating system that is, for most users, effectively insecure.

Re:False positives trick users. MS is adversarial. (0)

Anonymous Coward | more than 7 years ago | (#19790905)

List the folders. All of them. Otherwise, I honestly refuse to believe that.

Next time ask a tough one, please. Now I can't get up to 49, but there are a ridiculous number of places:
  • %TEMP% (usually %LocalAppData%\Temp)
  • Wherever IE hides its TEMP directory (no, not the cache)
  • %SystemRoot% (really, I don't know why)
  • [Every Drive]\Recycler
  • [Every Drive]\System Volume Information
  • [Any Drive]\[Random Characters].tmp
  • %SystemDrive%\TEMP (yes, really)
Also, temp files are listed under Disk Cleanup. If you run that (and it will suggest you do if you start running out of space), then it will remove them.

You'd think that. You'd be wrong. It erases the contents of %TEMP% and IE's cache, but that's it. It won't erase the [Any Drive]\[Random Character].tmp directories that the Windows Installer loves to create (by the way, that's generally one per patch from Windows Update), it won't clear out useless data in System Volume Information, and it won't remove unneeded Recycler information. (You'd think that when the recycle bin is empty, Recycler would be empty. You'd be wrong.)

I'm glad Slashdot forces that preview, apparently Slashdot doesn't support the P tag.

Re:False positives trick users. MS is adversarial. (1)

Kalriath (849904) | more than 7 years ago | (#19793839)

%TEMP% (usually %LocalAppData%\Temp)
Temporary Directory for programs in User Space

Wherever IE hides its TEMP directory (no, not the cache)
Doesn't exist - bullshit

%SystemRoot% (really, I don't know why)
No temp files are stored in this place by the operating system, save PAGEFILE.SYS which is your virtual memory - bullshit

[Every Drive]\Recycler
The RECYCLE BIN?!? Explicit user action is required to get files there! When empty, it's contents will be the typical stuff - one desktop.ini per user, in a subfolder with the user's SID as it's name. Again - bullshit

[Every Drive]\System Volume Information
System Restore - not a temp folder. No temp files are stored there, but a HUGE amount of your drive will be used by it, to ... well, do system restore. Turn off System Restore, and the folder uses FAR less space. Again - bullshit

[Any Drive]\[Random Characters].tmp
The operating system does not create folders matching this pattern. If you see folders which are just what looks like a GUID with no dashes, TRY REBOOTING. Again - bullshit

%SystemDrive%\TEMP (yes, really)
Applications in SYSTEM space don't know where your user space temp directory is (they're isolated from user space), so they use this folder. Well, DUH.

The fundamental issue is correct. (1)

Futurepower(R) (558542) | more than 7 years ago | (#19794689)

There are people whose only way of making a living is to work with Windows. Those people sometimes feel very threatened if they learn something new about Windows.

Consider your manner. Basically, you communicate that if you disagree with someone, they are wrong, and not only that, they are to be scorned and otherwise treated badly.

Slashdot readers should remember that no one is paid to comment on Slashdot. If the underlying point is correct, it is not necessary to be particularly intense about a detail that is in error.

In this case, the underlying point is correct. The Slashdot story on which we are commenting is about malware. The point is being made that there are a lot of unnecessary places for malware to hide. Maybe Microsoft managers did not design Windows to be costly to maintain. But they certainly allow that.

To "Wherever IE hides its TEMP directory (no, not the cache)" you said, "Doesn't exist". However:

C:\Documents and Settings\ user \Local Settings\Temporary Internet Files\
for each value of user is where IE puts its "Temporary" files.

To "%SystemRoot% (really, I don't know why)" you said, " No temp files are stored in this place by the operating system, save PAGEFILE.SYS which is your virtual memory"

Maybe he left out some characters there, and meant the SystemRoot Temp folder. Remember, %SystemRoot% is usually C:\WINNT. The PAGEFILE.SYS file is in %SystemDrive%\ which is usually C:\, where Windows keeps its Temp and Tmp folders. Windows XP puts HIBERFIL.SYS in %SystemDrive%\, and doesn't always delete the file if Hibernation is turned off. HIBERFIL.SYS is huge, a little larger than system memory.

To "[Any Drive]\[Random Characters].tmp" you said, "The operating system does not create folders matching this pattern."

He is talking about files, not folders. I just checked a test system. This is one of the results:

Directory of C:\WINDOWS\Installer

09/09/2006 03:44 AM 110,950 MSI26.tmp
04/11/2006 09:13 PM 474,624 MSI68.tmp
04/11/2006 05:08 PM 70,545,476 MSIBC.tmp
04/11/2006 05:08 PM 474,624 MSIC6.tmp
4 File(s) 71,605,674 bytes


The fundamental issue is that Windows has no automatic method of dealing with these unnecessary files. And that sometimes cause people to buy another computer, because the file system becomes slower when there is not much free space.

Re:The fundamental issue is correct. (0)

Anonymous Coward | more than 7 years ago | (#19795343)

But he's disputing the point and trying to debunk the misconceptions some here seem to have.

To "Wherever IE hides its TEMP directory (no, not the cache)" you
said, "Doesn't exist". However:

  C:\Documents and Settings\ user \Local Settings\Temporary Internet Files\

for each value of user is where IE puts its "Temporary" files.
Read the bit you quoted again. It says "no, not the cache". Temporary Internet Files *is* the cache, isn't it? (OK, plus where Outlook temporarily writes attachments you view.) If that's not the cache, where do you think the cache is?

Next time, skip the anger. (2, Informative)

Futurepower(R) (558542) | more than 7 years ago | (#19791277)

Acting out your anger is optional. Next time, try dealing with your anger yourself, rather than making it a problem for others.

You said, "The number of temp files or folders is nothing to do with security."

You didn't read what I said carefully. I said that, if temp files fill the hard drive, the file system becomes slower. And also, even worse, the defrag program refuses to operate. When computers become slow, many users buy a new computer.

A few temporary file locations in the Windows XP operating system:

C:\Documents and Settings\Administrator\Local Settings\Temp\
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\

C:\Documents and Settings\
user \Local Settings\Temp\ and
C:\Documents and Settings\ user \Local Settings\Temporary Internet Files\
for each value of user . On the computer that had the trouble, there are several users.

C:\Documents and Settings\NetworkService\Local Settings\Temp\
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\

C:\Documents and Settings\LocalService\Local Settings\Temp\
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\

C:\Documents and Settings\Default User\Local Settings\Temp\
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\


According to Microsoft, these may all be different:
%SystemRoot%\Temp\
%SystemDrive%\Temp\
%SystemRoot%\Tmp\
%SystemDrive%\Tmp\


In my opinion, it doesn't matter how many temp file locations defined by the operating system there are, if the number is more than, let's say, 2. I've seen computers infected with malware that uses temp file locations of other users to store files, marked read only. There is no method provided by Microsoft, that runs automatically, that deletes read only temp files in all the locations, and does that securely under OS control, so that malware cannot use those locations between computer re-starts. That's my understanding, and you haven't said differently.

Also, most users don't know to run Disk Cleanup. The point is, most users are not technically knowledgeable, and are not able to maintain Windows, and, as the New York Times article to which I linked says, they buy new computers, because that is cheaper than trying to maintain the OS.

The fundamental point: Given what I have just mentioned, I don't see that Microsoft is caring towards its customers. The company could do far, far better. Microsoft apparently doesn't do better because Microsoft managers believe it is morally acceptable to use adversarial methods to make a profit.

I didn't know I had a website. I just looked, and I can see I do. I don't have much time to make a web site, and I had forgotten that I had an index.html. Normally, I just provide links to particular articles.

Anyhow, look at this article on my "web site": Windows XP Shows the Direction Microsoft is Going. [futurepower.net] Quote:

Bruce Schneier, well-known computer security analyst, said in his November 15 newsletter that this article is "A well-written analysis of the major security/ privacy/ stability concerns of Windows XP." Mr. Schneier wrote the books Applied Cryptography and Secrets and Lies: Digital Security in a Networked World, and other books.

Back then, several years ago, I thought Bruce was being overly generous. However, soon after I published my article, which was translated into French and Spanish by readers, and other languages for which I could not find an editor to verify the translation, security vulnerabilities were found that I predicted in the article.

On one computer, 75 cache folders. (1)

Futurepower(R) (558542) | more than 7 years ago | (#19793167)

And don't forget cache folders made by the Windows XP OS, and temp folders made by applications:

C:\WINNT\PCHEALTH\HELPCTR\Config\Cache

If you have Microsoft Office installed, there are two more apparently for each user:

C:\Documents and Settings\ user \Application Data\OfficeUpdate12\Cache
C:\Documents and Settings\
user \Application Data\OfficeUpdate12\Temp

And Microsoft provided no guidance to developers, so software companies put temporary files everywhere, and forget to delete them sometimes (often). One one computer, I listed 75 cache folders, and those are just the cache folders that begin with the letters "cache". Try it yourself by running these commands with an account that has administrator privileges:

%systemdrive%
CD \
DIR cache*.* /S /AD /B


The point is, there are temporary files stored in many, many places, when Microsoft could have provided one Temporary files folder and one Cache folder, and required that application developers use sub-folders in those folders.

All that disorganization has the effect of making Windows more expensive to administer. If an application forgets to delete its temporary files, eventually that uses the available space, and the computer becomes slow. Often people buy new computers when their computers get slow, making Microsoft more money.

With better organization, there could be a program that deletes unneeded files, making the Microsoft operating system far better for users.

More Windows OS Temp files. (1)

Futurepower(R) (558542) | more than 7 years ago | (#19793593)

I wouldn't want anyone to think that I had listed all the temp folders created by the Microsoft Windows operating system. I just had to stop to do something else. Here are a few more:

One for each user who uses NT Backup:
C:\Documents and Settings\ user \Local Settings\Application Data\Microsoft\Windows NT\NTBackup\temp\

C:\WINNT\Microsoft.NET\Framework\v1.1.4322\Tempo rary ASP.NET Files\
C:\WINNT\Microsoft.NET\Framework\v2.0.50727\Temp orary ASP.NET Files\
C:\WINNT\system32\CatRoot\{127E0A1A-4EF2-11E1-86 08-01B04FC291E0}\TempDir\
C:\WINNT\system32\CatRoot\{F259E6C3-38EE-11E1-85 E5-01B04FC291E0}\TempDir\
C:\WINNT\system32\config\systemprofile\Local Settings\Temp\
C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\

Re:More Windows OS Temp files. (1)

Kalriath (849904) | more than 7 years ago | (#19793893)

Demons, you persist in using APPLICATIONS to mean the Operating System! NT Backup, not an OS component. Installed with the OS, yes. NOT part of it. ASP.NET. Not an OS component. And you decide to tack in folders that don't exist on the PCs of anyone who's actually recently REBOOTED (the ones under CatRoot) and a couple of temporary user-space folders (System has a profile too, you know).

Your entire ranting is a whole load of FUD. I assume if I felt the inclination to look at your "website" (which I don't) I'd find nothing but Microsoft bashing right? Grow up and find some real stuff to bitch about. It's Microsoft, they have plenty of REAL reasons to bash them.

I found old .tmp files in Catroot. (1)

Futurepower(R) (558542) | more than 7 years ago | (#19794557)

I just rebooted a test system. Result: Old .tmp files in Catroot.

Microsoft.NET files are present in a default install of Windows XP.

NT Backup is the backup program provided with the Windows OS. A backup program is a necessary OS component.

You said, "It's Microsoft, they have plenty of REAL reasons to bash them."

Okay, what are YOUR reasons?

Anyhow, the point is made that there are a LOT of places for malware to hide, far more than even Slashdot readers generally know. Think how difficult it is for the average user when "temporary" files fill the hard drive and make Windows slower.

Ha ha ha (1)

sid0 (1062444) | more than 7 years ago | (#19789889)

I get a good laugh every time anyone says OS X has "very few" or "hardly any" vulnerabilities. Try telling that to Secunia [secunia.com] .

Re:Ha ha ha (1)

_Ludwig (86077) | more than 7 years ago | (#19790325)

"The most severe unpatched Secunia advisory affecting Apple Macintosh OS X, with all vendor patches applied, is rated Less critical (2/5)"

Laugh away.

Re:Ha ha ha (1)

TheLink (130905) | more than 7 years ago | (#19790967)

(I used to work in the IT Security line).

Using OSX is safer (for now), but to say OSX is more secure than Windows is foolishness.

Most of the windows malware _running_ out there don't even care about root/admin privileges. Most are zombie machines to spam or DDoS and spread. Don't need root/admin for that.

By default OSX and Linux run stuff unsandboxed with the same privileges as the logged on user and the logged on user has lots of network privileges, can set up cron jobs, and all other nice stuff (perl + There's More Than One Million Ways To Do Malware ;) ). So if OSX or Linux ever get >50% of market share, I'm sure they'd have the same amount of malware if not even _more.

All you need is one prob in Firefox/Safari, or a silly user to run something and you're in. There are many bugs in Mozilla - it's written by the Netscape programmers so go figure.

In contrast many off-the-shelf Windows firewalls (including Windows XP SP2) sandbox/control the execution of arbitrary programs - require user to approve network access etc. Sure it may not be that secure but it's a lot easier for "Aunt May" than SELinux.

Given the lack of "Desktop User friendly" sandboxing for OSX, I'd say that OSX is actually harder to keep secure for "Joe Public".

BUT, in practice, since OSX is not really a target, "Joe Public OSX users" don't need all that stuff yet. It's like OSX users are living in some small village where it's safe even if you leave your front door open. Hardly anyone is going to break in yet.

Windows XP SP2 is actually more secure, unfortunately it's "located in a dangerous part of town", so using it is NOT safer than OSX (for now).

Note: I'm not referring to the security abomination that's called Vista - Vista's UAC just trains already click-thru happy users to click-thru even more. If Microsoft cared about security they should have implemented sandbox _templates_ or something similar.

Sandbox templates can go a long way in making things secure - since if a program claims to be a screensaver but requests the user give it "Full User Privileges" (or even Full System Privileges) it's likely to be up to no good.

If it requests the user give it "screensaver" privileges, if you do things right, it's not going to be able to do much - no access to network, filesystem, keyboard, mouse, microphone (yeah no eavesdropping), no nothing, except drawing pretty pictures. So it'll need to exploit the graphics driver (which is probably not impossible given the buggy drivers out there, but takes a lot more work).

I hope you can now see that the popular OSes are all very primitive and inadequate when it comes to desktop user class security. SELinux is not for "Aunt May". AppArmor is not that bad, but still not quite there yet. SELinux/AppArmor need lots more stuff on top to make things seamless and easy for users to not screw up.

Underlying point: Microsoft is adversarial. (1)

Futurepower(R) (558542) | more than 7 years ago | (#19791713)

I've seen this kind of statement frequently: "OS X is not better."

You said, "By default OSX and Linux run stuff unsandboxed with the same privileges as the logged on user and the logged on user has lots of network privileges, can set up cron jobs, and all other nice stuff..."

By default, and largely because they are forced, most Windows users run with administrator privileges, and malware can modify the operating system. I don't know OS X, but my understanding is that OS X is not that insecure.

Also, you said, "Note: I'm not referring to the security abomination that's called Vista - Vista's UAC just trains already click-thru happy users to click-thru even more. If Microsoft cared about security they should have implemented sandbox _templates_ or something similar."

You seem to agree with my underlying point, which is that Microsoft is uncaring towards its users, apparently because Microsoft managers believe that it is morally acceptable to use adversarial methods to make a profit.

You said, "Most of the windows malware _running_ out there don't even care about root/admin privileges. Most are zombie machines to spam or DDoS and spread. Don't need root/admin for that."

The high maintenance costs for Windows operating systems come partly from users and malware having admin privileges. Zombies are not the biggest problem, the biggest problem is that a stranger has complete and lasting control over a user's computer.

Apparently Microsoft managers lack confidence in themselves. If they had confidence, they would make a profit by making good products, and would not depend on adversarial methods to make a profit.

I definitely agree with your point that operating systems have a long way to go to provide the maximum possible security.

Re:Underlying point: Microsoft is adversarial. (1)

TheLink (130905) | more than 7 years ago | (#19792103)

"most Windows users run with administrator privileges"

Sure, but technically they don't have to and it doesn't really matter in the big picture. Most Linux users would happily do "perl Makefile.pl; make; make test. switch to root, make install" without caring. Most users are ignorant (they can't know everything) and the popular OSes (OSX included) do not make it easy for them to do "the right thing".

It is unreasonable to require a normal person to _correctly_ figure out what an arbitrary program would _actually_ do before deciding to run it or not. Even when aided by an AV program, how would the AV program decide what the perl script would do if the script googled for code using keywords and ran eval on it ;).

Whereas it should be much more reasonable to require a normal person to figure out what a program _should_ be _allowed_ to do.

"the biggest problem is that a stranger has complete and lasting control over a user's computer. "

My points are:
0) In the case of "Aunt May"'s PC, it doesn't really matter if the stranger has complete control or not. With current primitive OSes (OSX or not) - the stranger will have _enough_ control (full access to user data, and user privileges), AND lasting control (user ignorance is widespread ).
1) from the tech perspective, OSX is not more secure than windows XP SP2. In fact I claim (and arguably show) it is less secure.
2) OSX is safer from the practical perspective - best defense is nobody wants to attack you.
3) They all suck from a security standpoint - haven't improved much in 40+ years?

Re:False positives trick users. MS is adversarial. (1)

flyingfsck (986395) | more than 7 years ago | (#19790667)

Hmm, OpenBSD is playing it down though. I have nothing against my fellow Calgarian, but Theo's system is certainly not a good as he claims. It is on par with Linux - no better - no worse.

Re:False positives trick users. MS is adversarial. (1)

Pyrion (525584) | more than 7 years ago | (#19791975)

So what do you think would happen if Microsoft did everything right and good from your perspective? Or, more pointedly, how many corporations would Microsoft be putting out of business by fixing all the problems with their operating systems?

Those who stand to make money off of plugging the leaks in Windows would have a pretty damn good case for claiming "anti-competitive behavior."

Important argument: Immoral behavior provides jobs (1)

Futurepower(R) (558542) | more than 7 years ago | (#19792057)

You said, "... how many corporations would Microsoft be putting out of business by fixing all the problems with their operating systems?"

Yours is an argument being made nationally concerning the U.S. government. Something like, "If the U.S. government stops killing people for money [krysstal.com] , a lot of U.S. citizens will have to find other jobs."

The jobs will be there. Running a business or a country well helps create prosperity. Prosperity creates jobs.

Problem with WIndows (1, Insightful)

cdrguru (88047) | more than 7 years ago | (#19789667)

The problem with Windows is the ease-of-use. Let's see... I can email a link to an executable file to someone and when the click the link it runs the program. I can also email the executable itself and upon opening the attachment it will run the program.

This is very helpful in a corporate environment. When there are malicious people on the Internet this is a disaster. Which is the "right" way?

Sure, Windows could be made more secure. Unfortunately, all the security in the world will not prevent a machine from being compromised if the user runs a program. This is the "hole" in Vista - if you run a program and authorize it to run it will run and can affect the operation of the machine. Period.

Would a secure root/user logon environment make Windows secure? No. That is what Vista has implemented and it does not prevent the machine from being compromised.

Re:Problem with WIndows (1)

sid0 (1062444) | more than 7 years ago | (#19789851)

And this is the hole in absolutely every OS ever made. Every OS will allow you to run a program that deletes your files, for instance. There is simply no patch for human stupidity.

Re:Problem with WIndows (1)

SEMW (967629) | more than 7 years ago | (#19795137)

"if you run a program and authorize it to run it will run and can affect the operation of the machine" -- I don't wish to sound sarcastic, but what would you suggest an OS should do if you run a program, and explicitely authorize it, apart from, well... run it?

I seem to say this a lot, but... (1)

_Shad0w_ (127912) | more than 7 years ago | (#19789679)

I think someone needs to read Hanlon's Razor. Although I think I prefer Ingham's "Cock-up theory" myself.

EULA (1)

micktaggart (1047954) | more than 7 years ago | (#19790057)

Won't this be covered by the software product's EULA? As user you have to abide by the license, but as competitor you can bring them to court to get to change the software. Hrrm.

Dumb question: Why not reinstall OS regularly? (1)

nbauman (624611) | more than 7 years ago | (#19790493)

When I go into a computer cafe and sign in, they (apparently) copy a disk image of the hard drive onto my computer. If I pick up any malware, it's eliminated because the whole hard drive is erased and the OS reinstalled for the next customer.

Why can't I do that at home? I could (and do anyway) make a disk image of the partition with my operating system and apps with GHOST or something, save it on a DVD, and re-install it whenever my computer seems to be infected with malware or is acting funny for any reason.

The other thing I do is, when I install my OS and apps, I make a detailed log of the configurations, so I can easily reinstall them again. (I'm following the example of a friend who was a nuclear engineer.) That makes it relatively easy to reinstall the system. Yeah, reinstall takes an hour or so, but it's a lot easier, faster and more reliable than trying to eliminate malware or to trouble-shoot whatever is really causing the problem.

Re:Dumb question: Why not reinstall OS regularly? (0)

Anonymous Coward | more than 7 years ago | (#19794329)

There's an easier way.

Install a stripped-down linux system (basic kernel, xorg, no wm/de), then install vmware-server. Install windows on the vmware image, then take a snapshot once it's setup how you want it. Then you can set vmware to revert to the saved image every time you "turn off" the virtual machine. Every time you boot up, you'll have a fresh install.

Re:Dumb question: Why not reinstall OS regularly? (1)

Tsuki_no_Hikari (1004963) | more than 7 years ago | (#19795039)

It's a program like DriveShield. Basically works like reimaging it each time you reboot, but only altered files are overwritten I imagine. You never noticed a speed difference while rebooting.

Either that or it played with the file system and only made things seem like you edited them, while just putting the file in a temp space. Never did try filling the college hard drives. Should have torrented more..

Interesting -- and its not a false positive (3, Interesting)

ratboy666 (104074) | more than 7 years ago | (#19790909)

The idea that an "anti-virus" program that does signature checking against a (almost continuously) updated database of virus signatures is probably a good source of "genetic material" for a virus will eventually occur to someone who does malware.

And, just for grins, its catalogued. So, to use that genetic material, the virus sinply needs the key (and the knowledge that a particular anti-virus program is installed). That is probably denser than trying to keep the infection information with the virus itself.

In other words, target Kaspersky "protected" systems (or any other "anti-virus" vendor" specifically.

Why? Hell, I would do it just because it would amuse me to no end!

OT: Virus Sources (0, Flamebait)

zippthorne (748122) | more than 7 years ago | (#19791067)

Other than the obvious, AV vendors actually creating the beasties they protect against..

Has anyone calculated the odds that a virus could be created by transmission error (assuming negligence in checksumming)?

I'm sure it's very low, but are we talking, "Not before the Heat death of the universe" low or "struck by lightning while being mauled by a bear" low?
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?