Good article Jeff. And yes, this is nothing new - George Smith has been pointing out how the AV emperor had no clothes and relies on instilling fear nearly two decades in the Crypt newsletter (and he should know, being one of the earliest authorities on the subject).
âI have a resident Linux server, which has NEVER had a virus in 9 yearsâ
âI recently had a virus/malware issueâ
Well, thatâs great. Nothing like being internally inconsistent.
BTW, I have a Windows server, which has NEVER had a virus in 4 years. Not even recently.
I was attempting to make the point that traditional sandboxes didnât work well, if at all. Sorry if that didnât come across. I write .net programs for a living (websites, not winforms) and looking at the permissions and setup is a real drag if not downright impossible hence my comment about making it easy for programmers as well as for users.
My point was network, disk, registry, keyboard, etc are all resources that need to be protected by the OS. They should not just be given away at the double-click of a mouse. For 90% of software it should be easy to say what it may and may not do in a succinct and easily presentable manner. I donât care if this breaks old programs. Call it Windows Secure Desktop Initiative or something catchy. If MS does it right theyâll continue to own the desktop, and every big vendor will scramble with that new upgrade to have a new little logo.
I donât blame MS, they couldnât have seen it coming, but for their own future they have to make fixes.
Windows continuing to be an insecure platform will push online applications as a better option, despite their limitations. Gmail and Google Docs never required an install. The future of desktop applications depends on the security of the desktop.
some readng for âsafe because there are so few of themâ camp: http://daringfireball.net/2004/06/broken_windows
I think we can kill a lot of birds with one stone hereâŚ
Am I the only one who doesnât understand the need of âinstallingâ the vast majority of applications? I can understand why we need to install system components. Things like DirectX, .Net Framework, etcâŚbut why do I need to âINSTALLâ games or applications?
If I have a game, I want EVERYTHING I need to run that game in the folder I tell it to. The registry is a huge messâŚscrew it. Everyone, stop using the registry. Iâd rather see a âconfig.xmlâ or a âconfig.iniâ than have to spend hours digging around the registry for whatever the application added.
The vast majority of .DLLs and crap that will get copied to the system directory will never be used by anything other than that one game or application and SHOULDNâT be put into the system folders.
When you execute a file, by default, it should ONLY have read/write permission to the folder it is in, and any sub folders.
If Iâm running IE and browse to some shaddy site, IE itself, should only be able to access the folder it sits in, and sub folders. That means, ALL of the data related to IE can be found in the folder and itâs sub folders.
If I install another copy of a Windows OS - I shouldnât have to âreinstallâ any of my games or apps. I should be able to browse to the folder it lives in, run it, it should work. See, during the install process a bunch of crap is put into little hidden spots of the registry and files are copied all over you HD. Without those files, the game wonât runâŚso you have to reinstall all of your games. Itâs crap.
What Iâd like to see is a filesystem based security system that views individual executable files as âusersâ. Each app, each game, each EVERYTHING, you can run has individual permissions that you can look at and modify. By default, it canât do anything but read and write to itâs folder and subfolders. If you want IE to be able to put files in C:\MyFiles - then you need to set the permissions of C:\MyFiles to allow IE access to write to it. Anytime an application attempts and fails to read or write data that doesnât belong to it - youâd see an error message. You know what file did it, and what it was trying to get at.
Taking it one step further, using this model, the VAST majority of applications could/would run just fine as long as the appropriate updates were made. The few installs that really should be âinstalledâ in the current sense are mostly well-known MS or other big name company products. If I go ot install the .Net Framework that should be a real install, but MS could certainly give it a âstampâ of approval; just like it does with signed drivers.
If someone gets a âHappyBunny.exeâ and they run it, it wonât be able to do much of ANYTHING. It has read/write access to some temp folder under IE. Even if it exploits some sort of buffer overflow, or something along those lines, and can excute code, the IE process, only has read/write access to itâs folder. If the application requests access to other folders, the user would get the error message with a âallow/denyâ type choice and then, if they allow, since HappyBunny.exe isnât digitally signed by MS - they get a big BIG ugly warning saying that there is virtually NO REASON for an application to need more access.
Administrator accounts could grant the programs access to system folders. Regular accounts couldnât. This would only affect the installs of software that has a legit reason for accessing system files (virtually none). Everything else could be installed from the regular accounts.
I believe someone has made this comment already but I gave up on âanti-virusâ long ago. I keep full installed (clean) images off all my computers as well as most of my direct family.
With compression now-a-days and the amazing cheapness of storage, you can have a TB array without really much cost. I have a resident Linux server, which has NEVER had a virus in 9 years, hosting the TB array and when I have issues I simply plug in my recover USB flash, or CD for some of the older computers, and dump the clean image back on my disk. If I am remote I can dial in to my server over the net, or I can just burn it to a DVD. Though the DVD solution is ungodly slow.
I recently had a virus/malware issue and within 30 minutes or so of realizing there was an issue I was up and running in newly dumped image. I do keep my documents/hard data stored on the server as well though so I donât have to worry about data loss on the image dump.
I think everyone should use this method, it all but removes virus and malware threats.
Just my two cents.
I like RobDudeâs idea, reinstalling windows should not mean reinstalling every piece of crap I own. The registry is a mess, can anyone remember off the top of their head where Unreal Tournament 2004 stores its own cd-key?
The registry was supposed to be a replacement for ini files, but I think ini files and folder permissions for an app should be what RobDude is suggesting.
Thatâs a bullshit. I always run as administrator and my comps never been infected.
There is only one lesson: donât be dumb.
Iâm all for spreading the (half)truth that linux/osx are saferâŚ
the more unix based users there are, the more software will come out for these platforms.
everything is a double edged sword though. More users means more interest in the malware-creation community.
RobDude,
I have BEGGING for that very same scheme for years.
It sucks having to reinstall all my apps if I scrub my OS, upgrade my harddrives or change the way my âtear-offâ VM is built. Just plain dumb.
The Registry was a big step backwards in usability.
Non-english people has a big advantage against all that spam virus e-mail. As my wife does not understand english, she never opens a mail not in french. 
I applaud the guy who can restore his system from an image in 5 minutes. You must have a smoking fast network to do that, and a small system disk. See whenever I backup/restore it takes hours and hours, and thatâs to a firewire drive.
See the problem is
1 - any data would have to be backed up first. There are many stupid programs that hide data in strange folders.
2 - your disk image would always have to be up-to-date
3 - you have to keep multiple images, because what happens if you got a virus, didnât know, and then made the backup. Youâve just backed up the virus.
You just canât win. Virtualisation and backups are just bandaids that help but canât solve the problem.
I just donât bother with small scale / unknown 3rd party apps anymore because itâs not worth the risk. I stick to well-known vendors and hope for the best.
Another converted Ubuntu user here. Someone mentioned above that the WinNT security model is actually far ahead of the standard UNIX security model - and thatâs true. The traditional ext3 filesystem for Linux only allocates nine bits per file for permissions information - stored as three octal numbers. Itâs absolutely a holdover from the years when hard drives were measured in tens of MBs.
In contrast, the NT security model has cascading ACLs, arbitrary numbers of groups and users for a file, and far more levels of permissions the UNIX read/write/execute bits. SELinux and extended attributes (xattrs) can add the same fine-grained security to Linux, but honestly, most people outside of the security profession donât use them.
The key difference here is that the WinNT ecosystem has a different culture - a culture of fear, as Jeff said, but also a culture of default-allow. Combined with the unfortunate integration of IE into the operating system (which is only finally being decoupled in Vista) for political reasons and we have a perfect storm, a malware deluge.
The UNIX culture, however, has a long history of multi-user computers. One of the first things you learn as a new Linux user is about file permissions, and about user accounts. Itâs not like this is too hard for users to grasp - permissions are used extensively in things like Sharepoint and CMSs, where users understand and like the ability to control access. But since itâs not a part of day-to-day use of the OS, it doesnât occur to them that files on the hard disk can have the same setup. Itâs a shame, because they are, after all, working with a great security model - if they realized it.
I would like to see some answer from the VM proponents to Mr Sandmanâs comments about the price of extra windows licenses⌠we donât all have MSDN.
Seem to be lots of spreading of fear culture here among the comments, from some of the comments you would almost deduct that every windows installation is ridden with viruses and trojams, pherhaps I may humbly suggest you get a basic 101 computer course if thatâs your experience.
Also, we have to separate between getting a virus warning visiting a site and or when getting an email and the system actually being infected, I have know people that have reinstalled the system when all that happened was that the antivirus alerted when visiting a website or that it alerted on a scan that something was in the temporary files cache, it doesnât mean the machine was infected but most users seem to think that.
And, like I said previously, how often does this happen really ? Most people donât get viruses on a daily basis or even on a yearly basis, thatâs what it sounds like in this article and in the comments, a user with some common sense that do not download that stays away from âwarezâ and those kinds of things will not get a virus infection just out of the blue, it was a very long time since Windows had that kind of bugs where you could get infected just being on the internet, it just doesnât happen today. Again, a page or a file in the cache is not an infection.
The more you blog about blogging, the less likely I am to read it. Apparently this has become the meta-blogâŚ
I have a tech-savvy buddy with an interesting strategy. As one with in-demand skills, youâre time limited. His strategy is pretty simple - called Three Strikes.
The first time a family or friendâs computer is infected, he fixes it for free. Whatever it is. Does it require a complete rebuild? Install a proper firewall, anti-scum⌠whatever it takes.
The second strike is at cost. I donât know his billing rates.
The third strike calls for a Linux install, also free.
He reports that a cousin is now running Ubuntu, and seems to like it. His Dad has had his second strike.
It doesnât work for me, though. I have a brother who fixes Windows for a living, and seems content to keep fixing my Dadâs machine.
I donât know if you are familiar with Winpooch: it is what i could consider the new generation of protection software, and it also comes (coincidence? i think not) from the open source universe. It is pretty much a quick fix but the only way a long-term fix could be made is if windows would take the direction suggested by RobDude.
From the Winpooch website http://winpooch.free.fr/
âWinpooch uses the API Hooking method. It spies programs when they are running and gives to the user a powerful control of their activity.For example, you can forbide a program to write in a system directory or in the registry, or else to connect to internet. That makes the difference between others anti spywares using a database of known signatures.â
Quite similar to sandboxing. Too bad it really needs the userâs ability to tell what should be trusted and what not, and it doesnât at all fix the problem of a trusted, licenced app which has an inner vulnerability that makes it a backdoor for attacks.
But as long as the regular user would even at times ignore virus warnings from current antivirus software, as I have recently seen (mistaking .mp3.exe files for archives), there is absolutely no chance for a safe world without some big changes being made.
This is an old blog entry but I thought Iâd post a comment anyway.
This is for windows people that for whatever reason have decided to keep running in admin for convenienceâs sake. I am NOT advocating this over running as simple user on the desktop, but since people do it anyway⌠There is a way to have your cake and eat it too. Since most vulnerabilities come from running apps that connect to the internet, run those select few apps with simple user privileges, on your admin desktop. Here is how:
Get pstools from microsoft. A free download. it contains psexec
For each app, create a batch invoking psexec with the app as the parameter and -l for limited user mode.
Get a free batch file compiler to compile the batch file in an exe and make it so it doesnt display the console window
Replace your app shortcuts with those pointing to your compiled batch file. Change the icons too. Good candidate programs are your browser, torrent client, emule, m_irc, msn, whatever you know accesses the net. Make sure you also go through each program once as admin to take care of all firewall and folder permisson issues on the download folders.
You do this once when you set up the machine. Wonât take more than 20-30mins. After that its NO EXTRA HASSLE. You just get a few more cmd and psexec processes in task manager.