[Fwd: Re: Microsoft AntiSpyware: Will it be free and Vulnerable]

[devis <devis () easynix net>]

Dan Margolis wrote:

> On Tue, Jan 11, 2005 at 10:03:30PM +0100, devis wrote:
>  
>
> > It is prooved matter that spywares do exploits IE holes ( Iframes bugs, 
> > Active X etc etc ). Do your work on a few and you will see. 
> >    
>
> Perhaps some do, but generally speaking this is unnecessary for spyware
> to exist, as I said before; spyware exists regardless of such
> vulnerabilities. 
> Beside, you 
> missed the point entirely: if an user, just by clicking, can install 
> spyware on his machine, then the OS / browser is to blame, not the 
> actual (bad) code (exploiting it) floating around websites.
>  
>
>
> A user can install spyware with one click for the same reason he can
> install a *good* application with one click. 
Thats is where we do not agree. I do not beleive an user should be able 
to install anything. I have set up few unfortunates of my clients that 
get bugged randomly, with a 'user' limited user account and an admin 
account. Given you explain them why, they do understood perfectly and 
asked me why M$ didn't install in such a way. I answered that they 
prefer to expect their user base to be more stupid than able to comprehend.

> Having the user run every
> day with install privileges is relatively irrelevant; if he owns the
> machine, he will have the ability to install things. Being prompted for
> an admin password (as in the case of OSX) hardly prevents a stupid user
> from installing crap. 
>
>
>  
>
> > Once again, you are missing the point completely, if M$ didn't 'slack 
> > code' their OS, spyware would :
> > 1) not install
> >    
>
> How do you intend to make spyware not install while still allowing the
> user to install other things?
>
>  
see up there.

> > 2) therefore not exist in the form, numbers and variety we know them
> >    
>
> See above. 
>
>  
>
> > I'll give you a clue:
> > try to get a 'tool bar' or some 'other added bonus' automagically on 
> > bsd/unix/linux/solaris using any browser, on any site, clicking randomly.
> >    
>
> I cannot do so from "clicking randomly," but I quite easily can simply
> from clicking "OK" to the download prompt. Firefox installs plugins and
> toolbars just as easily as IE does. 
>
>  
You speak without trying. Please go install 'Gator' or 'Alexa Whats 
related' on such a box. I see your point of using the firefox extensions 
/ software install panel but so far in the wild on unix machines ...no 
reports. If it ever get used on firefox for windows for example to 
install spyware, it is because there is a windows box behind it. Please 
find me ONE example of spyware in the wild that install on an unix 
browser. Write a POC if it doesn't exist and please show that unix 
spywares in the home directory of the user are efficient.

> > As you said,
> > 'It's very, very difficult to prevent people from voluntarily installing 
> > spyware on their own systems.' yes indeed, because MS made it that the 
> > average joe is an admin therefore has supreme powers out of the box.
> >    
>
> So we don't give the *owner* admin privileges? Mac does this, as does
> Linux. I don't know of a single OS where the machine's owner does not,
> by default, have admin access. 
>
>  
No we don't. Beleive me, its 5 minutes talk making an user aware of 
another account on his computer reserved for administrative tasks ( new 
installs, updates, etc ).

> > Usability costs security. Always has, always will.
> >    
>
> Of course. But the ability to execute code is pretty much
> non-negotiable. I will never buy a general purpose PC on which I cannot
> run programs of my choosing. And if MS sold one as such, you would be
> here complaining about that instead. 
>
> The point is, spyware does not require OS vulnerabilities to be spyware,
>  
but it does to install and therefore do its task.

> and it likely, for a long time to come, never will. I never argued that
> Windows is the most secure OS, however, only that spyware does not imply
> bugs. And that point should, by now, be crystal clear. 
>  
Spyware does implies bugs and weakness. Once again, until you prooved 
that spyware out there in the wild, install or will install (in the next 
future) in other browsers, on unix, running a non priviledge account, i 
cannot agree with you. When you write a spyware you are not only gonna 
choose the most popular platform, but the most easy platform to do so. 
Spywares on windows exists not only because its the most popular OS, but 
mainly because it is trivial to adapt an installation of malware over a 
vulnerability ( remember how blaster spread ? ).

Basically, i am answering because you have given up on educating the 
average user, and this is plain wrong. Setting up right security 
practices out of the box, then explaining the average joe how to use his 
computer, would not seems just a tedious task now, if M$ had done it 
properly from the start. Educating the end user is still possible. We 
managed to tell them not to click random emails for the last few years, 
and some still do, but overall its a big improvement.

Not trusting the user to improve is a big mistake. not explaining why is 
equally a big mistake. The products got to change, and the users will 
learn. Education is the key, not covering the bad tracks of the OS writer.



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html